The U.S. government shouldn’t rigidly stick to traditional designations about which agency takes the lead on engaging with critical infrastructure sectors, the acting director of the Cybersecurity and Infrastructure Security Agency said Tuesday.
Sector risk management agency designations have long governed which agency is at the forefront of government efforts to protect each of the 16 critical infrastructure sectors, with CISA responsible for eight of them.
“When we look at our sector risk management agency construct, that’s important for a lot of reasons, It’s less important to abide by that strictly and say ‘CISA is the Sector Risk Management Agency for telecommunications,’” CISA’s Nick Andersen said at an event hosted by Auburn University’s McCrary Institute.
Rather, when responding to cyber incidents or undertaking other engagements with the private sector, the question should be who has the best relationship with a certain sector.
“We may have some owner-operators within a certain critical infrastructure sector that maybe the person they’re best positioned to receive resources from is us, or maybe it’s [Department of] Energy, or maybe it’s EPA, or maybe it’s FBI or NSA, or so forth and so on,” he said. “We just have to be comfortable with taking off those blinders and saying, ‘I don’t necessarily need to be in charge all the time no matter who I am. I just need to make sure that this owner-operator has the best partner teed up to lead that engagement.’”
The goal is to avoid another “Guam situation,” where “everybody was racing to Guam the last couple of years like kids chasing a soccer ball,” Andersen said. Guam was the site of critical infrastructure attacks on U.S. military bases that Microsoft pinned on the Chinese hacking group Volt Typhoon in 2023.
An attack on the telecommunications sector from another “Typhoon” group, Salt Typhoon, prompted questions about whether CISA’s hands are too full with all of its sector risk management agency responsibilities. House Homeland Security Chairman Andrew Garbarino, R-N.Y., raised concerns last year about how CISA handled its sector risk management agency role for the telecommunications sector after the Salt Typhoon campaign was uncovered.
