Policy professionals play a critical role in managing national and cybersecurity, yet some policy students may feel intimidated by work in these areas. On February 10, David Mussington joined the school to discuss why professionals with a public policy background are essential to the cyber and security sectors. As the executive assistant director of the Cybersecurity and Infrastructure Security Agency (CISA), Mussington shared insights into CISA’s work, goals, challenges, leadership and employment opportunities with students.
Mussington began his presentation with an exploration of CISA’s mandate, challenging the view that CISA focuses only on cybersecurity. Instead, CISA works broadly on all threats, both physical and cyber, as well as risks to critical infrastructure. Overall, it aims to protect Americans from disruptions to their safety and way of life.
“At CISA, we're focused on the concept of risk,” explains Mussington. “We’re focused on risk management and the obligation that we feel to address the risk concerns of Americans in the critical infrastructures and government and economic services that they depend upon to frame the American way of life.”
Despite its mission including physical and cybersecurity of critical infrastructure, the cyber domain receives significant focus from external stakeholders, including Congress. This is primarily because the Internet is central to American life, creating significant opportunities for malicious parties to interfere and defraud. CISA works both actively and proactively to mitigate these risks and protect Americans from harmful disruptions.
“The previously theoretical notion that cyberspace could have physical effects has now been confirmed,” says Mussington. “Many times, there are economic costs to disruptive services. There is a human cost to disrupted services. There are also costs in terms of diplomacy and national security.”
His work at CISA has also made Mussington more optimistic regarding international cooperation to protect critical infrastructure and establish norms in cyberspace. While there is still significant room for growth in this area of diplomacy, Mussington shared that he saw no reason for nation-states to reduce their cooperation.
“We need to be focused on communicating best practices to our critical and strategic partners,” urges Mussington. “We need to do intelligent [information sharing] and exchange. When incidents occur, we have to have threat hunters and other active and proactive services available to assist companies.”
Mussington closed his presentation with a discussion on diversity and inclusion at CISA, ultimately urging students and graduates to explore career opportunities with the organization. Although CISA’s areas of expertise may seem scientific, policy students and graduates provide necessary input for the organization. They also embody a deep commitment to meaningfully including underrepresented communities in cybersecurity work, including women and people of color.
“At CISA, the program here resembles some of the elements that we worked on when I was at Maryland – outreach, engagement, empowerment, and a celebration of diversity,” says Mussington. “It influences every element of how we recruit, how we do retention, and even the mechanisms we put into place to allow us to recruit people from non-traditional backgrounds.”