The US Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Advisory Committee has approved four draft reports aimed at strengthening national resilience against cyber threats, particularly those originating from China.
These reports were developed by various subcommittees and cover topics such as critical infrastructure resilience, secure-by-design software development, public awareness, and the security of the open-source software supply chain.
During a meeting held last week, members of the Cybersecurity Advisory Committee expressed concerns about increasing risks posed by Chinese state-sponsored cyber actors. CISA Director Jen Easterly underscored the significance of enhancing protection for critical infrastructure, especially in light of the upcoming US presidential election and the complex nature of current threats.
CISA’s focus on infrastructure resilience
One of the main reports, drafted by the Building Resilience subcommittee, found that federal agencies and critical infrastructure sectors are not adequately prepared for cyberattacks resulting from nation-state conflicts.
The report recommended that CISA’s Joint Cyber Defense Collaborative (JCDC) assist federal agencies in improving resilience and contingency planning, with a specific focus on Chinese cyber threats.
The subcommittee’s findings indicate that Chinese hackers use techniques such as “living off the land,” where they exploit software already present on targeted systems. This method complicates threat detection and requires a tailored approach to cybersecurity.
Additionally, the report advised CISA to address resource limitations faced by smaller organisations involved in critical infrastructure, as they are particularly vulnerable to such attacks.
Another report, presented by the Secure-by-Design subcommittee, emphasised the need for broader adoption of secure-by-design principles in software development.
Despite ongoing efforts, the report highlighted that some commonly held beliefs about cybersecurity lack empirical support. The subcommittee questioned whether fixing security vulnerabilities early in the development process is always more cost-effective, as is often assumed.
The report recommended that CISA commission a study to quantify the financial and customer impacts of major security breaches. Such a study would help companies better understand the economic advantages of implementing secure-by-design principles.
The Strategic Communications subcommittee’s report focused on enhancing CISA’s outreach to both the public and industry. It noted that CISA’s communications budget is smaller compared to other public-facing federal agencies, particularly when responding to crises. The subcommittee recommended that CISA adopt communication strategies used by other government agencies and private organisations to improve engagement with the public.
The report advised CISA to continue regular media outreach, suggesting quarterly background briefings with cybersecurity journalists. This would allow for consistent updates on CISA’s key priorities and activities.
A separate report from the Technical Advisory subcommittee addressed vulnerabilities in the open-source software supply chain. Given the widespread use of open-source software in modern applications, the subcommittee highlighted that these supply chains are often targeted by nation-state actors.
The report called for increased accountability in managing software dependencies and proposed the creation of an “accountable intermediary” to help mitigate risks related to open-source programs.
The subcommittee recommended that companies contribute to open-source projects and ensure that security improvements are made available across all versions of the software, rather than being restricted to premium or enterprise offerings.
Read more: CISA issues warning over critical Apache HugeGraph-Server vulnerability