Recently, the National Society of IT Service Providers (NSITSP) released a statement on the changes at the Cybersecurity and Infrastructure Security Agency (CISA), including removing industry advisors.
Statement issues response to dismissal of CSRB, other moves
The statement by NSITSP is in response to the Trump administration’s dismissal of members of the Department of Homeland Security (DHS), which houses CISA. This includes the removal of the Cyber Safety Review Board (CSRB).
According to a memo signed by acting Secretary of Homeland Security Benjamine Huffman, the move reflects the administration’s “commitment to eliminating the misuse of resources and ensuring that DHS activities prioritize our national security. “
NSITSP, however, says that reducing the purpose and removing industry advisory boards will have “profound negative consequences for the cybersecurity of our nation.”
“Future committee activities will be focused solely on advancing our critical mission to protect the homeland and support DHS’ strategic priorities,” the memo states.
CSRB includes public and private sector experts who issue reports and deliver recommendations to address significant cybersecurity incidents.
Why the NSITSP responded
Channel Insider spoke to Karl Palachuk, founder and member of the NSITSP Board of Directors, and Steve Kazan, president of the NSITSP, to discuss CISA’s pivotal role in safeguarding the country’s critical infrastructure and digital assets and the significant negative impact on managed service providers (MSPs) if the agency is reduced.
“NSITSP has had a relationship with CISA for a while. One of our board members, Christopher Barber, has sat on an advisory committee with CISA and his role is to try to get managed service providers’ input into what CISA is doing,” said Kazan. “We as a group at the NSITSP said that CISA is really important to our members and one of the things that system does is it publishes vulnerabilities.”
Ensuring the voice of MSPs is heard and the importance of CISA publishing vulnerabilities is a key sticking point for the association. Members of the NSITSP have frequently utilized CISA’s web page to stay up-to-date on the latest security threats and ensure their clients are aware of those notifications. The threat landscape gets murky and costly without a centralized voice on vulnerabilities.
“Our fundamental message is that CISA has been important to the security of our members and their ability to provide security to their clients,” said Palachuk. “We would like that to continue and we would like our members to contact their representatives in the House and Senate.”
Palachuk said that in doing so, members should ask their representatives for four things: Not to cut the funding, continue the alerts, reinstate advisory councils that were eliminated, and keep CISA within DHS.
CISA significance to IT is far-reaching
Neutering CISA has wide-ranging consequences for the IT landscape. It is one of the only organizations in the world with the proper resources to stay up-to-date on international and domestic cyber threats.
Speed is the key to cyber posture. It is essential for MSPs and any other organization that uses technology to support its business to prevent, react to, and respond to security threats with as little delay as possible.
“The fact that you have a place where you can find the latest and greatest information, then you can immediately take action and figure out where the plug in is and where the patch is, but if you don’t have that central voice, a delay of a day or a week can be catastrophic,” said Kazan. “Because that virus can spread through the network, through the community, and start attacking a lot more people.”
Further, these moves’ impact on CISA will also be significant for small and medium-sized businesses (SMBs). Customized attacks often target these organizations, which rely on CISA for timely and accurate information.
SMBs are also often at the forefront of finding product vulnerabilities that they can share with larger organizations. Protecting these SMBs is important so that they can continue to find problems and increase the likelihood of sharing solutions with all users.
A future without a strong CISA
By reducing the purpose of CISA, organizations will need to seek out other sources of information on threats. If these sources don’t have the resources that a major federal agency must utilize, this could lead to inconsistent or incomplete information.
“Part of the issue is that IT consultants must immediately find another source for their information,” said Palachuk. “And if it’s not from the federal government, it’s going to come from somewhere. So, down the road, when the government wants to reintroduce something which they must inevitably, they may not find that people want to listen to them very much because you can’t rely on a source that might just suddenly disappear.”
Kazan adds that cybersecurity employees for MSPs, from small to large, will have to work harder and harder because they won’t have easy sources of information to grab, utilize, and educate themselves on. They’ll have to respond to incidents, perform remediations, and work longer hours just to keep up with their current job responsibilities.
“The ultimate message is: We need to continue to spend money. We have to continue to spend money on security,” said Palachuk. “We need CISA to continue to play this role of helping us to secure the businesses in the United States, period.”
“If you think about this in ROI terms, is the investment in CISA worth the cost, right?” Kazan posited. “If you’re saving $10 million or $100 million– what is the cost of increased cybersecurity threats or damage to the U.S. economy going to be? You can have a single threat out there that would far exceed that cost. From our perspective, the investment in CISA is a huge ROI to not only MSPs, but also to all the clients of managed service providers.”
NSITSP encourages action
NSITSP believes the industry should take a firm stand on this, regardless of individuals’ political affiliations. CISA was established to increase the country’s security in the digital landscape, and many organizations rely on the agency to do that.
To keep CISA funded and at full strength, NSITSP encourages members of the channel to take action by contacting their representatives in both the House and Senate with those aforementioned requests:
- Re-instate the CISA advisory committees
- Limit reductions in force at CISA to maintain the critical cybersecurity functions
- Maintain the scope of CISA to protect public and private sectors and critical infrastructure
- Keep CISA within DHS
NSITSP has a blog with more information on how to take action, including how to find contact information for your representatives and how to maximize the effectiveness of your request.
President Trump’s administration has made various moves in recent weeks that could have widespread consequences for the channel. Read more about how potential tariffs could create obstacles in the channel.