Cybersecurity in the United States: The role of US federal agencies

IVLP ‘Promote cybersecurity’ 2024 – summary of learnt information in Washington DC, October 2024

This article is the first in a miniseries that provides insights into an IVLP cybersecurity project in the fall of 2024. My aim is to provide actionable, useful information for the professional community of European information security professionals.

About me

I am an integrated engineer and I have been working on the ICT market since 2000 in various business development and management roles as well as a solutions architect. I am currently leading the international operations of SOCWISE / EURO ONE InfoSec. This is a 20-year-old cybersecurity specialist and managed security provider with a subsidiary in Germany of which I am also the managing director. It is a small, enthusiastic team of 52 and I also act as security consultant, especially in the area of ICS security because I have a special background with manufacturing and smart industrial systems.
I regularly speak at conferences and represent my company in forums such as the ISACA, industrial chambers. I also host a podcast called CyberPod EU.

What is this program?

The International Visitor Leadership Program (IVLP) is the U.S. Department of State's flagship professional exchange initiative. It offers short-term visits to the United States for current and emerging foreign leaders from various fields, allowing them to experience the country firsthand and build lasting relationships with their American counterparts. These professional meetings align with the participants' interests and support U.S. foreign policy objectives.

Annually, nearly 5,000 International Visitors participate in the IVLP. Since its inception, over 200,000 International Visitors have engaged with Americans through the program, including more than 500 current or former Chiefs of State or Heads of Government.

About the project goals

On the one hand there are general IVLP targets to bring societies closer, from a cooperative level of partnership through cultural and community activities. On the other hand, there are specifically professional goals, which include sharing knowledge, exchanging best practices, and building business cooperation and academic teamwork. All the participants return home with lots of business cards, direct contacts and new friendships, their heads full of new ideas and learned methodologies to start working with.

Washington D.C.

Federalism, government structure and cyber defense architecture

In order to understand the role of the various cybersecurity agencies and stakeholders in the US we need to understand the political system and the main organs of the democratic society.
The well known, and admittedly not very up-to-date constitution determines the key values and main branches of the country. When the founding fathers of the United States drew up the constitution, their main goal was to build a system in which the balance of power unified society. The three branches of the federal government are:

1. The legislature (the House of Representatives and the Senate)
2. The executive branch (the President and their cabinet)
3. The judicial branch (the Supreme Court and lower federal courts)

However there are also state level and local level governments. State governments are also separated into three branches.
In some cases, the federal legislature can pass laws without state consent, but in most cases, it is not just the Senate and House, but all the states that must agree. Not only the states, but also counties and cities, have very different regulations on the same issues.
From a cybersecurity point of view the most important consequence is, that given the constitution is simply too old to address issues like privacy or digital actions the United States must regulate and govern with laws and executive orders. This has led to federal institutions – mainly the critical infrastructure, and the defense organizations themselves – having respective mature cybersecurity regulations and practices, while the private sector and the local organizations are facing very different situations in every state.

This partly negative status has helped the country develop a distributed ecosystem of different agencies, which are independent and cooperative at the same time. When talking to their stakeholders you really get the impression that most of the experts and leaders are convinced that it is their responsibility and they must cooperative to cope with threats.
I assume, that if regulations were less ambiguous and less strict, and if the actors had less freedom, then their convictions would be less steely.
The fact is that a surprisingly large number of agencies focus on security and cyber defense, and they know each other’s capabilities and competences and do cooperate with one another.

Federal Organizations in cyber defense in the US

The list of these actors could be approached from various perspectives, and my list below is most likely far from comprehensive, however these certainly play important roles:

Executive department offices

Departments of State, Treasury, Defense, Justice, Interior, Agriculture, Commerce, Labor, Health and Human Services, Housing and Urban Development, Transportation, Energy, Education, Veterans Affairs, and Homeland Security

As every organization faces cyber threats and based on their global status almost all the federal governmental organizations have to cope with a significantly higher number and complexity of adversaries in the cyber space. From the executive departments I have highlight some, most of which the IVLP Promote cybersecurity team met in person. In parallel these are the most important ones in my opinion. The following short definitions are framed purely around cybersecurity:

DHS (Department of Homeland Security)

While the most important cyber body within DHS is CISA, there are a number different direct offices that are responsible for coordination and policy creation. They ensure the operation of CISA and cooperation with other DHS organizations. This is because most cyber threats occur in parallel with physical threats.
DHS has investigative capabilities and depending on the actual situation the department’s respective focus on preventing criminal acts and arresting criminals.

CISA (Department of Homeland Security)

CISA was created in 2018 based on its predecessor agencies. It acts as the central homeland cybersecurity defense body. CISA has other duties as well, including infrastructure security, emergency management, integrated operations, and risk and stakeholder management.
CISA executes the standards created by NIST and indirectly supports the country and its allied nations and directly most of the critical industries in the US.

CISA’s main activities are:

• information and data sharing
  • see the accessible incident response trainings here and ICS security trainings here
• incident management and response
  • alerts here: https://www.cisa.gov/stopransomware/official-alerts-statements-cisa
  • https://www.cisa.gov/news-events/cybersecurity-advisories (filter for alert type)
  • MS-ISAC and EL-ISAC is provided by CIS, however in cooperation with CISA
• partnership development
• capacity development
• risk assessment
  • including free services for US organizations based on risks and priorities
• CISA provides vulnerability assessment services for external surfaces
• network defense
  • provides network security measures through ISP networks
• emergency communications

FEMA (/Department of Homeland Security)

We have often heard – even with respect to cyber incidents – that FEMA is in charge of large-scale incidents that affect the States on a societal level. FEMA's main responsibility is to coordinate the federal response to disasters that exceed local and state capabilities. Its mission includes:

• Preparing for disasters - educating and training communities.
• Responding to disasters - providing federal assistance during emergencies.
• Recovering from disasters - supporting rebuilding efforts.
• Mitigating future risks - reducing the impact of future disasters.

Secret Service (Department of Homeland Security)

We met Secret Service experts during our meeting with CISA and other representatives of Department of Homeland Security. In the cyber field they deal with different types of cybercrime. This organization has investigators, consultants, threat intelligence experts and legal professionals. As they are also a federal player, they interact with the FBI and state, county and city level law enforcement bodies.

FBI (Department of Justice)

The FBI carries out federal and international investigations to prevent cybercrime and identify or arrest cyber criminals. Besides their awareness and programs, the FBI is the right contact for many other nations to cooperate with in cybercrime cases, or any connections to the US. The FBI often collaborates with the largest online companies, like Meta, Microsoft and Google.

POTUS (President) / CIA

The CIA reports directly to the president. The main mission of CIA is to gather and process information to enable the US to protect its interests, although it also provides intelligence on threats, applying its operations team in defensive and offensive actions, as well as in collaboration and research.

Department of commerce / NIST

NIST is probably the most important organization for practitioners, as most of the regulations and standards are based on the Cyber Security Framework, and Privacy Framework and special publications issued by them. Although NIST carries out a wide range of activities, I only mention information security related topics here.

Cyber Security Framework

The de facto standard when you look for an openly available standard for defining the cybersecurity capabilities and controls of an organization. It is so well known, that I do not elaborate here.  The website is well designed, and you can find everything here: https://www.nist.gov/cyberframework

800-53 R5  - For governmental institutions in the US – and available for the rest of the world

This is more important, as the critical infrastructure in the US uses this special publication and its controls as a requirement framework to comply with. This includes 20 control families and the controls included (approximately 400) are created with people, process and technology aspects in mind.

The page of this special publication on the NIST website can be found here: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

You can find a dozen different supportive materials here, including a spreadsheet of controls, mappings and templates.
For NIS2 in Europe it is a good reference. For instance, the Hungarian NIS2 legislation is mostly based on 800-53 R4, but other countries use its controls widely too.

800-171 R3

This one was also cited during our meeting in the Pentagon, as this standard is meant for the suppliers of governmental organizations in the US, because their primary objective is to protect unclassified but still important information (Controlled Unclassified Information (CUI). https://csrc.nist.gov/pubs/sp/800/171/r3/final

NIST recommendations to private companies, SME and non-critical operations

Although  the page below was designed for SMEs, in America “big” means really large, whilst medium for Europe (or for the most of the World) is still big enough. In my experience there are tens of thousands of companies in Europe, who should really start with the basics and focus on the following guidance, which can be hard enough to start with. At senior management level it is also useful to have a simplified overview.

This is why I recommend the following site at NIST; however, it refers often to the CIS top controls – let’s reference them both:

• https://www.nist.gov/itl/smallbusinesscyber
• https://www.cisecurity.org/controls/cis-controls-list