David Mussington has returned to the University of Maryland School of Public Policy after serving as CISA's executive assistant director of the Infrastructure Security Division under the Biden administration. As a professor of practice, he has brought extensive experience in national cybersecurity and infrastructure protection to his teaching and research roles.
Now that you are returning to teach at the School of Public Policy after serving as CISA’s executive assistant director for the infrastructure security division under the Biden administration, how will your experience leading national infrastructure risk management influence your teaching and research?
Managing teams inside the U.S. government required a different approach than individual research, Mussington explained. During his tenure, he had to balance stakeholder demands while maintaining space for innovation. "You have to understand the work that's ongoing for specific stakeholders inside the US government and reconcile that with the work that is of interest to stakeholders outside," he noted. His experience managing legacy work alongside innovation initiatives provides valuable insights into real-world infrastructure security challenges he plans to bring to his academic role.
During your tenure at CISA, you worked closely with state, local, tribal and territorial (SLTT) jurisdictions and the private sector to reduce infrastructure risks. What are the most urgent priorities for strengthening U.S. infrastructure security in the coming years?
The most urgent priority is addressing the nation-state threat, which is from the People's Republic of China, Russia, North Korea and Iran, Mussington stated. He detailed two critical threat clusters: "Salt Typhoon," which targeted telecommunications infrastructure with nine large telecommunications providers being attacked, and "Volt Typhoon," which focused on a family of critical infrastructures including water systems, chemical sector computing resources, pipelines, and energy sectors. These operations were particularly concerning as they aimed to achieve persistent network presence for potential future disruptions rather than just espionage. He emphasized that the Volt Typhoon campaign targets US critical infrastructures both in the US mainland and in Guam. He also mentioned that regarding these threats, CISA issued multiple advisories in collaboration with Australia, Canada, New Zealand, and the United Kingdom.
Your leadership at CISA required extensive collaboration with government entities and the private sector. What have been the biggest challenges in fostering effective public-private partnerships for infrastructure security, and how can they be addressed?
While CISA wasn't a regulator for private sector cybersecurity, the agency worked to incentivize best practices, Mussington explained. He highlighted that while other agencies like the Department of Energy regulated industry cybersecurity standards, CISA's role was to encourage and incentivize risk reduction behavior in the private sector. The Joint Cyber Defense Collaborative emerged as a successful model, enabling close technical information sharing and rapid threat response. A key innovation was the development of machine-to-machine communications for sharing risk information and accelerating IT patching processes. The Known Exploited Vulnerabilities (KEV) list has become a crucial tool, helping the industry prioritize patches for vulnerabilities actively exploited by adversaries. "What makes CISA most effective is the trust that it has built with the private sector and foreign partners," he noted, pointing to the multi-seal approach where advisories carried validation from multiple international partners.
How do you see artificial intelligence shaping the future of risk management, and what are the ethical or policy considerations that should guide its use?
Mussington saw both opportunities and challenges with AI. He emphasized the inevitability of generative AI's impact, noting that organizations were already dealing with "shadow AI" deployment by employees. He stressed the importance of enterprise-wide AI policies, particularly regarding the introduction of AI into key business processes. Drawing from his CISA experience, he highlighted how AI could have enhanced the analysis of 15-20 years of infrastructure risk assessment data. However, he warned about AI's dual-use nature, particularly in cybersecurity. Attackers could use AI to rewrite malware variants that defeat existing detection systems, potentially accelerating an arms race between defenders and attackers. He noted that coding competitions already showed AI surpassing human capabilities, raising concerns about AI-enabled cyber threats to poorly defended networks.
What policy changes or initiatives are necessary to strengthen national cybersecurity in the next decade?
The focus needed to be on anticipating private sector security decisions, Mussington argued, since most cybersecurity investments come from industry rather than government. He advocated maintaining trust-based conversations with the private sector while protecting sensitive information shared during security collaborations. The challenge of protecting critical infrastructure from state-level threats like China's Volt Typhoon and Salt Typhoon campaigns will require creative policy-making, which encompasses a combination of federal, state, and local decisions on risk tolerance, risk priorities, and affordability of risk mitigation solutions, to balance voluntary approaches with necessary protections. From a broader critical infrastructures perspective, policymaking will require reconciling the diverging incentives of public authorities (federal, state, local, tribal) and private sector businesses that own the assets at risk.
