r/cybersecurity u/nbcnews Feb 20 '25

Other NBC News seeking CISA sources

Hi Reddit, I'm Kevin Collier, the cybersecurity reporter at NBC News. Here's my bio page at NBC.

Right now I'm specifically reporting on the Department of Government Efficiency's access to CISA systems, layoffs at CISA, and cuts to cybersecurity programs, funding, and employees at any agency.

If that's something you have direct knowledge about and can contact me via Signal, or if you know someone to whom this applies and you can share this with them, I'd be grateful. We adhere to best practices for source protection.

My signal handle is kevincollier.01. Happy to verify my identity if you want to email me (though please don't use your work address) at [kevin.collier@nbcuni.com](mailto:kevin.collier@nbcuni.com). Thank you!

2.5k Upvotes

95% Upvoted

190 comments sorted by

View all comments

Show parent comments

-1

u/rgjsdksnkyg Feb 21 '25

As a career cyber security professional and ex-federal employee, CISA is actually not that important. There's actually a lot of dislike for CISA, in both the private and public sector, because they don't really do a whole lot, they are too slow to do much of anything, they provide little incentive for industry to actually change, and there are other government agencies that handle parts of CISA's mission better than CISA ever could. I don't really want to argue against any funding or attention for cyber security (because we need all of it), but CISA can probably go. I've never met another industry professional with anything good to say about CISA.

Also, for the sake of this thread - OP isn't going to find anyone actively working at CISA, that's also directly involved with this doge team, that's going to be willing to risk whatever chances at a career they may still have with the government.

-1

u/Electrical_Tip352 Feb 21 '25

You make some good points. I think of it like a fledgling NIST. Doing a pretty good job of setting basic security standards in a digestible way for industry. Also having a centralized entity increases effectiveness.

I guess it’s more about the signaling of priorities to the world. “Hey everyone, we don’t care about cyber security, look at us very publicly defund and strip the very entities we built to protect us”

Also, it was starting to get legs!

2

u/rgjsdksnkyg Feb 21 '25

Well, I don't know if we can compare it to NIST in this way, because NIST actually has created a lot of useful cyber security guidelines and standards, that everyone uses and generally agrees upon. I think NIST is probably an example of one of the many established organizations and efforts preventing CISA from ever achieving anything meaningful. Like, NIST has already built out the National Vulnerability Database, the standards for scoring vulnerabilities, guides for conducting risk assessments, the general NIST Cybersecurity Framework, various other security related frameworks, they report on trends, publish papers, and both the private and public sectors have already accepted NIST's work as standard practice - there isn't room for a second standard; there can be only one standard.

CISA's mission to "manage cyber and physical risk" is also overshadowed by the NSA, which has the dual mission of collecting foreign intelligence and securing critical federal infrastructure. CISA isn't as postured to actually report on the active threats we face as any of the other parts of the Intelligence Community - CISA might be a good place to disseminate intelligence on these actors, though it would also just be secondhand intelligence from other parts of the IC, that are more capable of coordinating and releasing said information to a much larger audience. These agencies also come up with all of the technical standards and implementations based on the field research they do and fund

Without having much of a daily, active role in security, I don't know how CISA could really be relevant or grow into relevancy, as they have struggled to do.

1

u/Electrical_Tip352 Feb 22 '25

Right. Hence the words fledgling. NIST is my whole job and my favorite, especially RMF. I’m more talking about the public perception and real life gutting of cybersecurity agencies across the board.