I'm very optimistic that the new administration will wisely separate the wheat from the chaff in CISA and will keep what is working while eliminating what isn't working. I encourage members of the new administration to take 15 minutes to watch CISA Director Easterly's comments made on June 12, 2024 about the CISA ICT_SCRM Task Force to understand the real value this public-private Task Force is bringing to help protect critical infrastructure operators from risky software and provide a means to validate trustworthy products following the ICT_SCRM Task force best practices to validate that products and vendors are following Secure by Default and Secure by Design principles and practices described within the CISA Software Acquisition Guide. [As of January 27, 2025 there were over 10,000 downloads of the CISA SAG].
I have personally seen how CISA has successfully made progress fostering public-private partnerships that produce effective and practical cybersecurity best practices. There are many productive, effective people working at CISA that need to be kept working on things that matter in cybersecurity, like the ICT_SCRM Task Force and the SRMA's; I've worked with several of these "keepers" over the years. I've also watched people in CISA with their own personal agendas create dissension at CISA, destroying teamwork and slowing progress in favor of their own egos and pet projects, wasting tax payer money "marketing" those failed pet projects at cybersecurity conferences. Some people working within CISA have a "disdain" for commercial vendors that work hard to deliver products to solve real cybersecurity problems, and pay their taxes, in favor of foreign entities working on "open source pet projects" that directly compete with commercial offerings from US based tax paying small businesses AND are not solving the most urgent cybersecurity problems plaguing America, like ransomware and software vulnerabilities.
More must be done to rebalance cyber-risk and protect software consumers from cyber-threats. CISA can be a leader in implementing real, effective solutions, but a "change in attitude and leadership" is needed before this can happen. Radical transparency is one clear, obvious and easily attainable way to achieve progress in this area. CISA needs an effective cybersecurity coxswain that will keep team CISA and their public-private partners all rowing in harmony, in the same direction as one cohesive team to achieve goals efficiently and effectively that will benefit Americans and protect against cyber-risks.
The new administration will need to separate the Wheat from the Chaff in CISA; there is plenty of good wheat to keep in CISA.
I look forward to working with the new administration to work on implementing effective solutions, produced by American businesses and American Labor, that work to protect American's from hackers and prevent ransomware from causing harm. I remain optimistic that cybersecurity will be given the priority it deserves under the new administration. Â
I look forward to continuing to work as a foot soldier in the trenches, participating in CISA's public-private partnership efforts under the very successful NRMC and SRMA leaders currently in place at CISA and with international parties seeking to provide a more secure digital ecosystems, such as the EU-CRA initiatives to produce software products that are "Secure by Design" and "Secure by Default" as the EU-CRA law requires.
Â