CISA panel pitches idea of a National Cybersecurity Alert System

The U.S. needs a national cybersecurity alert system that would provide actionable information on threats and risks, according to a panel that advises the Cybersecurity and Infrastructure Security Agency (CISA).

Without specifying what such a system would look like or how it would behave, the panel found that “there is a genuine need for a national cybersecurity alert system that routinizes the 24/7 consideration and provisioning of cyber alerts.”

The Cybersecurity Advisory Committee (CSAC), led by former National Cyber Director Chris Inglis, created a subcommittee in March to investigate the prospect of a National Cybersecurity Alert System. The panel released its findings Wednesday at the CSAC’s virtual meeting, the third this year.

CISA wanted Inglis and his team to gain an understanding of the appetite for a system that would convey the current severity of national cybersecurity risk — either through a numerical scoring system or a color-coded method akin to the controversial Homeland Security Advisory System created after the 9/11 attacks.

CISA already provides a range of alerts, advisories, and bulletins about specific threats, but these do not provide an understanding of shifts in the types of threats or an understanding of national cyber risk, the panel found.

Inglis said the current array of reports are “not authoritative, not necessarily coherent, and they're not curated in some singular fashion over time.” As part of its work, the panel spoke with cybersecurity officials in Israel and Canada as well as at several U.S. agencies.

“We do think there's a genuine need for actionable, granular kind of information that constitutes an alert system that is actually curated over time so that we know if we go shields up, we know why we've done that and we know when to bring those shields down to some degree so that we can actually target this for the circumstances,” Inglis said.

The subcommittee determined that CISA would be the right organization to create the alert system, but the agency would face challenges in the process, Inglis said. But they explained in their report that CISA “currently lacks analytical capacity and unique, value-added data sources to be able to reliably field a national cybersecurity alert system.”

When it originally asked the experts to look into the idea, CISA referenced the 2022 “Shields Up” program that was started after Russia’s invasion of Ukraine as an example of the kind of “specific, time-delimited” warnings that provided value. The agency notified organizations that threats are significant and imminent and that defenders should lower their threshold for sharing information now.”

The campaign also saw CISA provide more general long-term cybersecurity guidance about patching, multi-factor authentication, segmentation and more. Several organizations told Inglis and others that there was real value in the information provided through the Shields Up effort.

CIRCIA and the SEC

Inglis noted that this may be the ideal time to create a national alert system as CISA organizes rules outlined in the Cyber Incident Reporting for Critical Infrastructure Act — which CISA officials refer to by its acronym CIRCIA. The watershed law will force critical infrastructure organizations to report significant cyber incidents.

Several other committee members mentioned the new incident reporting rules from the Securities and Exchange Commission (SEC) as another tool that may serve as a backdrop for the alert system.

Inglis explained that an alert system would be helped not only by the information that comes into government agencies due to the new rules, but also by organizations’ newfound need to collect this kind of data on threats.

“These should be resources, not just for kind of responding to an SEC mandate, but frankly, for increasingly a self-imposed mandate that companies, whether they're private or public to actually deal with cyber risk. How do we characterize it? How do we actually understand when it's on the rise? How do we actually marry that with information so that we can then meaningfully do something about that?” he said.

“This should actually provide tools so that when those folks respond, whether it's within a CIRCIA framework, whether it's an SEC framework, they have more granularity, they have more information and more authoritativeness associated with both of those, so that they can deal with it. I think that's the benefit here.”

CISA Director Jen Easterly said the CIRCIA and SEC rules would actually make the alert system better so that the government can actually determine — and share — when certain attacks like ransomware are increasing or decreasing.

But Easterly noted that the SEC reporting rule will be different from CIRCIA because it “will be richer in terms of informing things like TTPs and enabling us to better scope wherever the alert system lands.”

Inglis also noted that the alert system would be distinct from the SEC rules, which have faced stiff backlash in recent weeks. While the SEC rules are meant to inform investors, the alert system’s goal would be attending to cyber resilience and making underlying digital infrastructure more robust.

“I think that that is a more focused task that is at the heart of the national cyber alert system. Let's double down to make sure that the digital infrastructure meets our expectations so that we can have confidence it will do what we want it to do,” he said.

The subcommittee urged CISA to meet with stakeholders to figure out what kind of actionable or curated information would be valuable to organizations and to coordinate with other agencies that would be able to participate.

Subcommittee members believe the alerts should operate in a tiered model, where certain alerts are not public and are only given to those who need it, Inglis said.

He hammered home that the term “actionable” needs to be “atomically bound” to the idea of alerts so that the government is not simply producing another color warning system that can be ignored.

New leadership

Inglis took over the project from Tom Fanning, executive chairman of Southern Company and chair of CSAC, who will be departing the committee at the end of his two-year term in November. Ron Green and Dave DeWalt were elected as the new chair and vice chair respectively.

Other members of the subcommittee included Kevin Mandia of Mandiant, DefCon and Black Hat founder Jeff Moss and Obama administration cybersecurity official Suzanne Spaulding.

CSAC was created in 2021 to provide recommendations to Easterly and CISA, and this was their third meeting of 2023. Alongside the recommendations for a national alert system, several subcommittees provided ideas about corporate cyber responsibility, cyber-hygiene efforts, critical infrastructure, attacks on high-risk communities and the cyber workforce.

The next meeting will take place in-person in December.