Federal, state and local cybersecurity officials talk constantly about the need for better collaboration between different levels of government and the other critical sectors with which they work, but those efforts are only successful if the resources and information being shared are relevant, Nitin Natarajan, the deputy director of the Cybersecurity and Infrastructure Security Agency, said Monday.
Speaking with a pair of big-city chief information security officers — San Francisco’s Michael Makstman and Boston’s Greg McCarthy — on the opening day of RSA’s annual conference, Natarajan said that while closer relationships between the federal government and its state and local counterparts are vital to improving cyber defenses, different parties often have different needs.
“There are going to be times when state and local government and the federal government are not going to be in line,” he said. “We want our partners to continue to collaborate with us. We want to make sure the resources we’re bringing to bear are actually useful.”
Natarajan said one of the hurdles to achieving that is making sure that state and local agencies that ask the federal government for cybersecurity help, often in the form of grants, don’t get bogged down by bureaucratic requirements.
“Anyone who’s worked with any type of federal grant knows there’s a lot of reporting requirements,” he said. “One of the things we’re talking through is how do we get the best dollar for investment.”
He added that some federal grant programs put recipients in a position in which “we’re going to give you $5 but we’re going to make you do $15 worth of administrative work,” which he said was common in the early years of the Department of Homeland Security.
“How do we get the money on the ground to be utilized most effectively? It’s a burden, but it’s necessary,” he said.
The amount of money DHS gives states and localities for cybersecurity programs could jump if Congress passes a bill introduced last week creating a $500 million annual grant program.
Natarajan did say the state cybersecurity advisers CISA has begun hiring — a result of language in last year’s defense authorization bill — are beginning to make an impact by forming more direct relationships with state and local officials. Those advisers, who will eventually be hired for all 56 U.S. states and territories, will be “one-to-many” contacts capable of amplifying the agency’s reach, he said.
“We don’t want them working just with the state entity,” he said. “It’s going to allow us to attend your weekly, quarterly meeting and reach that broader audience. We want to continue to grow that regional footprint.”
He also touted recent changes to the .gov top-level domain, which is now administered by CISA and is currently free for state and local governments.
Natarajan also stressed the ongoing roles played by intergovernmental organizations like the Multi-State Information Sharing and Analysis Center and professional associations like the newly formed Coalition of City CISOs, which Makstman and McCarthy launched last year. Natarajan urged cities during the event to pool resources with each other and consider forming partnerships with colleges and universities in their communities.
(Natarajan, a former critical infrastructure policy director in the Obama administration, joined CISA in February. The agency remains under the leadership of acting director Brandon Wales, though President Joe Biden has nominated Jen Easterly, head of Morgan Stanley’s global fusion center, to run the agency.)
Building successful relationships between CISA and its state and local partners is about “getting the right information to the right people at the right time,” and making sure information is flowing in both directions, Natarajan said.
“I don’t want to be sitting in D.C. just having people send me reports,” he said. “What I want to hear is how is this driving your decision making? Is it the right information? We’re not going to solve it purely as a federal government. We’re committed to improving our products, improving our training, improving our relationships.”