CISA cuts risk exposing small businesses to cyber threats

• A large bank or electric grid operator may have the best security system in the world, but it doesn't matter if their third-party, smaller suppliers are vulnerable to cyberattacks.
• "You can't build a strong chain with a weak link," Henry Young, senior policy director at the Business Software Alliance, told Axios.

Threat level: Supply chain attacks have surged in recent years, with small businesses often serving as unintentional gateways.

• One such example: when ransomware groups exploited vulnerabilities in VMware Horizon software to target local governments. In that situation, the Cybersecurity and Infrastructure Security Agency was able to provide real-time alerts to exposed entities hours before the attacker started targeting them, Matthew Warner, co-founder and CEO at cybersecurity firm Blumira, told Axios.

Driving the news: Many of the employees who oversaw CISA's outreach to small businesses and critical infrastructure organizations have either taken buyouts or been laid off, according to news reports.

• And liability protections for companies sharing threat data with the federal government lapsed this month, leaving small utilities and manufacturers that don't have in-house legal teams on their own to understand how best to share such information.

The big picture: Over the last several years, CISA had expanded its regional footprint and built trust with small organizations that often lacked formal cybersecurity resources.

• The agency provides free incident response, conducts risk assessments, and helps local governments and critical manufacturers determine which new threats to prioritize.
• That support is in danger of disappearing, with few clear alternatives, said Bill Moore, CEO and founder of critical infrastructure security firm Xona.
• "It closes the options to a large degree," Moore said, noting many will have to either fly blind or spend thousands of dollars on new cybersecurity tools.

Between the lines: CISA built up trust with smaller entities over time, but that trust can evaporate when the employees who handled those relationships depart, Tony Monell, vice president of public sector at Black Kite, told Axios.

• "That institutional knowledge leaves and, as a result, it will take a lot to backfill that person," Monell said.

Reality check: CISA's outreach with small utilities and businesses was still a work in progress, executives added. But there aren't many government backstops that could fill the agency's role.

• The FBI, for example, typically focuses on law enforcement and post-breach investigations, not proactive cyber defense.
• And while sector-specific information-sharing analysis centers offer threat alerts, they don't typically provide hands-on help like incident response or penetration testing.

In a statement, Marci McCarthy, CISA's director of public affairs, said that "despite the Democrat-led shutdown, CISA continues to defend critical infrastructure, deliver actionable intelligence, and support small and medium sized businesses across the nation — even as nation-state adversaries and cyber criminals look to exploit uncertainty."

• "In the face of some legislators failing to do the job the American people have entrusted them with, CISA will continue doing ours — protecting the homeland," she added.

What to watch: Whether Sean Plankey is confirmed to lead CISA — and whether he'll bring back the agency's staff and resources for smaller organizations.

Go deeper: Government threat-sharing endangered amid major cyberattack