The Center for Internet Security, a nonprofit focused on assisting “under-served and under-resourced” entities, has recently seen a fivefold increase in state and local governments signing up for its cybersecurity services, according to CIS’ John Gilligan, who sees opportunities to expand the outreach under legislation pending in Congress.
“As an organization, we're at a point where we have been able to realize significant influence in both the state and local environment, [and] the broader worldwide cybersecurity community through our products, and it's accelerated recently,” Gilligan said.
CIS president and CEO Gilligan and chief technology officer Kathleen Moriarty discussed the group’s current efforts and vision for the future in an interview with Inside Cybersecurity. Gilligan previously ran his own consulting firm and was CIO for the Air Force and Energy Department. Moriarty is a former security innovations principal at Dell with over 20 years experience in information technology security.
John Gilligan, President and CEO, Center for Internet Security
The center is home to the CIS Controls and CIS Benchmarks -- widely used cyber best practices -- and also houses the Multi-State Information Sharing and Analysis Center and Election Infrastructure Information Sharing and Analysis Center.
Gilligan said, “Within our work in support of state, local, tribal and territorial organizations, we have seen dramatic increase in the number of organizations who have signed up as members and therefore beneficiaries of the products and services that we have. We're at about 12,000 now, and that's a fivefold increase over the last 36 months. While it's certainly not every state and local organization, what we're finding is we're getting many of the organizations.”
Federal and state grants help fund those entities’ access to CIS services, Gilligan noted, which could be bolstered by a $1 billion cybersecurity grant program included in both the Senate infrastructure bill now pending before the House and the House-passed version of the fiscal 2021 National Defense Authorization Act.
Gilligan said the MS-ISAC is the only one to receive federal funding and urged lawmakers to “give funding to all of the ISACs,” which help secure each of the critical infrastructure sectors.
“The scale that we operate has allowed us to do things that are more difficult with a smaller scale and obviously we've been very fortunate to be well supported by the Congress and the Department of Homeland Security’s [Cybersecurity and Infrastructure Security Agency], Gilligan said, noting “a significant expansion of the products and services that we provide.” For example, he said, “we're now operating -- outside of the very large companies and a few government organizations -- one of the largest security operations centers [24/7].”
CIS through an effort with Johns Hopkins University has automated the distribution of threat updates, he said, and “some states then can ingest them automatically and others have to do it manually, but that's a significant improvement in capability and timeliness of getting threat information.”
Gilligan cited a confluence of factors behind CIS’ growth and expanded reach, including the “trust relationship” fostered through the MS-ISAC as well as the benchmarks and “critical security controls.”
Kathleen Moriarty, CTO, Center for Internet Security
States are increasingly looking at standards to demonstrate “due care,” Gilligan said, pointing to a new law in Connecticut that references the CIS controls, with liability protection for companies that adhere to the standards.
Gilligan suggested that other prominent frameworks “are too general and … don't give enough guidance,” while the CIS critical security controls specifically answer users’ question of “what do I do?’” according to Gilligan.
“We plan to continue [on] that path,” he said. “We think that we have a good model for organizations to incrementally improve their security. [We] try to give the organization bite-size chunks of things they can do -- through our analysis, we've demonstrated that the bite-size chunks are also the most important things to do … because these have the most significant impact against the most common threats.”
Among the key developments he cited “a number of cloud vendors” offering configurations “reflective of our benchmarks … we're seeing a lot of organizations that are saying ‘we want to get security baked in when we go to the cloud and that's been successful over time and maybe I'll use this,’” Gilligan said.
Looking ahead, Gilligan said “we've had discussions with [Microsoft] where we would like them to produce these secure configurations as a part of what they release, so with Microsoft 11 it would be nice if they would release what we would call a benchmark version.”
He said, “We would be happy to work with vendors to bring outside collaborators to help in the review process,” while another emphasis will be on continuing to mature” CIS’ “community defense model.”
State and local governments “will continue to be a major focus” for CIS, Gilligan said, along with other “under-served entities that the major companies don’t pay a lot of attention to. We have to make it simple for them.”
Simplicity and scale
The center’s CTO Moriarty said CIS is “very much concerned with scale” and helping organizations “off-load as much as possible” when it comes to cybersecurity. She said security must be simplified, operate at scale and require few resources to implement.
She is the author of the 2020 book “Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain.”
“What I would like to see going forward and what I'm trying to work with vendors on is, first, as an industry we need to raise the baseline of information security. We need to expect more from our vendors,” Moriarty said. “In other words, security must shift to built-in with automated continuous assurance provided by the vendor to establish benchmarks. Further out, I'd like to see the automated assurance that comes from the vendor and there's newer technology that helps with that, but it's going to take a few years to get there.”
Moriarty said, “I think this change is possible because of the threats we see. They're pervasive, they're brazen. We don't know when an attacker hits a broad base. Are they going after one specific entity and hiding that within this broader base that they're attacking?”
Moriarty said “the current threat landscape has changed things enough, and then we also have this push for zero trust that's changing things and the push for encryption everywhere. Those represent a pivot point where we can really start to make a difference and get towards that built-in theme and push the requirements on vendors so that entities in this under-resourced category don't have to get a box, harden it themselves and then keep it up to date and manage it, but [instead] they're provided this basic essential cyber hygiene from point of purchase.”
According to Moriarty, “Security must shift to built in with automated continuous assurance provided by the vendor to established benchmarks. It's going to take time and it's going to take them sort of internalizing, so ‘end-entities’ have to start pushing for this built-in security.”
She noted the executive order signed in May by President Biden “calls for built-in security” and said it is a “really good push” that may help it “become achievable.” She added, “For the vendors that do start to provide it, if they get a big market uptake because of that,” then “there’s a better chance” that “the rest will have to follow.” -- Charlie Mitchell (cmitchell@iwpnews.com)