Products and people are in place for CISA to succeed, agency’s departing No. 2 official says

Nitin Natarajan joined the Cybersecurity and Infrastructure Security Agency (CISA) in the early days of the Biden administration.

Over nearly four years as the agency’s No. 2, Natarajan has seen the organization mature as digital threats to U.S. critical infrastructure have generated more and more headlines.

Now, amid unprecedented breaches by China-linked hackers, CISA’s leadership team is preparing to hand the reins over to the incoming Trump administration.

Recorded Future News last week spoke virtually with Natarajan (who braved a recent winter storm to make it into his office) about the agency’s accomplishments, the future of its most high-profile digital security regulations and what it is doing to ensure no one drops the ball on January 20.

This conversation has been edited for length and clarity.

Recorded Future News: What stands out the most about the last four years?

Nitin Natarajan: If you look at CISA today versus CISA four years ago … we're the same but we're different.

We have historically always been an organization of partnerships. A lot of what we do has been predicated on strong partnerships with our state, local, tribal, territorial partners, our private sector partners and our international colleagues. That has continued. What you've seen over the last four years is a much stronger relationship in those areas. 

The other big area where you don't see a lot of visibility is the way we've strengthened the foundation of CISA as an agency, really making sure, as we are six years old, we have a much more solidified foundation to grow upon.

But I also think about launching a lot of new initiatives that have moved our efforts forward. Some are visible, some are not. On the less visible side, our work with the federal civilian executive branch, really strengthening our cybersecurity in the federal government — making sure that we are doing all that we should be doing to strengthen our cybersecurity — has really evolved significantly in the last four years.

Our efforts on things like our pre-ransomware notification initiative really has been a game-changer. Where we thought we'd make some notifications and help people who are on the verge of being encrypted by ransomware actors has turned into thousands of notifications to critical infrastructure owners and operators around the country, including critical entities such as healthcare facilities.

We've done a lot to strengthen our information sharing efforts with our partners. You rarely ever see CISA-only branded products out of CISA anymore. It's always branded with [the FBI] and our colleagues in the intel community, or frankly, our colleagues around the globe.

RFN: What do you want to accomplish before leaving office later this month?

NN: My focus really has been on landing planes. And where are the planes that we need to land?

We're really excited about the [Information Technology Sector-Specific Goals] that came out today [January 7]. Really excited about more of those sector-specific goals that have come out. [Editor’s Note: Other examples include a publication for the chemical sector.]  

RFN: Perhaps the largest initiative by CISA is crafting the cyber incident reporting mandate for critical infrastructure, dubbed CIRCIA. The final regulation is due this year. What does the future hold for it?

NN: A new team has the opportunity to mold the rule in whichever direction they choose to do. The rule was called for in legislation. There is a requirement from that perspective.  So it'll be interesting to see what the new team wants to do with it. 

We've made a push on voluntary reporting for quite some time now. Those efforts continue. CIRCIA was an additional element of looking to strengthen opportunities in cyber incident reporting. We'll have to see what direction a new team wants to take it. 

The value and the importance of reporting, and the value that system provides in that space, has been better recognized by our partners over the last several years and now we'll have to see what the new team wants to do with the rule as it goes forward. 

RFN: Is something like CIRCIA still needed to improve critical infrastructure’s digital security?

NN: It is. We need to continue to move forward and continue to have a strong reporting regimen. 

We need to figure out what is our right balance. How do we do it in a way that's not too onerous to our industry partners? How do we do it in a way that has the right balance of information reporting? How do we have the right elements of privacy and those elements built into it as well? Rulemaking is a complex issue. We obviously published the [Notice of Proposed Rulemaking] last year. We received 900-plus comments. 

When we're going through those and looking at how we can incorporate that into what could come out as a final rule next year, it is about finding that balance but moving the sector forward. A lot of organizations that are voluntarily reporting see the value of it and hopefully folks see the value of stronger reporting.

RFN: One sector that seems to be a particular target of cyberattacks is healthcare. What lessons has CISA learned from ransomware attacks on large entities like Ascension, Prospect and Change Healthcare?

NN: A few things. I came from the healthcare space, so the healthcare sector is near and dear to my heart. That's why I personally led our healthcare work here when we identified it as one of our priority sectors a few years ago.

It's twofold. One, we're seeing attacks against healthcare organizations unlike what we've seen in the past.

The example I use, in centuries of even kinetic warfare you never bomb the tents with the red cross on it. Healthcare was always kind of a protected entity. Those rules don't exist for the current landscape of cybercriminals. That is not the current landscape as we deal with nation-state threats.

There's been a lot more awareness on the volume, frequency, complexity of attacks on the healthcare sector. There's been a lot of increased awareness on the complexity of the sector at large, and what we need to do to build resilience in that space. There's also been a huge effort by the Health and Human Services Department, with CISA and the sector reporting counsel and other private sector partners in the healthcare space to really encourage hospitals to build that resilience. 

When I was in government in 2008 I was selling cybersecurity to healthcare. We were trying to convince them that this was a thing. Many didn't believe me. The CISOs did. Outside of that, there wasn't a lot of belief. Fast forward to today: I sit at events and panels and fireside chats with healthcare CEOs of the major healthcare systems in this country who are talking to me about their attack surface. Five years ago, you never would have heard a healthcare CEO talk about the attack service of their organization.

Another issue that has been there, but we need to pay more attention to, is things like third-party risk. That's something we've seen across many sectors as being a challenge. How do we better understand that in healthcare?

RFN: The transition is happening at a unique time with the threats of Salt Typhoon and Volt Typhoon and others. What is CISA doing to ensure the continuity in the response to the ongoing hacks?

NN: We are actively participating in the transition process with the transition team and being transparent, open and providing answers to the questions that they have. Those efforts will continue between now and noon on the 20th.

The other piece to remind folks of is that CISA is 3,400 people strong. There's only about 10 of us that are appointees that will depart. A vast majority of CISA’s organization is staffed by career experts in their fields. That work is going to continue. They're still going to be engaging the way that they do. There isn't going to be a change in that day to day engagement of what people are used to. 

From that perspective, I'm confident that the work is going to continue and that the work to build resilience in our nation’s critical infrastructure against cyber and physical threats will continue. How that continues every new administration comes in and will chart their own course. The fundamental elements and focus of the agency is something that will continue as we go forward. 

Frankly, I'm excited to watch the future of CISA and where it goes.