Agency gets praise for risk management; efforts advance along broad front

November 19, 2019

The Cybersecurity and Infrastructure Security Agency’s “risk management” philosophy needs faster and deeper uptake throughout government, a key industry leader says, while developments over the past week underscored the breadth of CISA activities across issues and industries.

And the House today is expected to approve a continuing resolution funding the Department of Homeland Security and other agencies until Dec. 20 as negotiations continue on fiscal 2020 funding. The Senate is expected to follow suit before adjourning later this week for Thanksgiving recess.

Larry Clinton, head of the industry-based Internet Security Alliance, in an interview said the federal government as a whole is shifting to a risk management approach to cyber, but the effort lags behind the private-sector’s embrace of “sophisticated” tools and must accelerate rapidly.

“We are losing the battle to secure cyberspace and losing it big,” Clinton said. “The CISA team has done a good job – I just want them to be able to move faster with many more resources.”

The CISA team’s efforts have ranged from rural telecom networks to industrial control systems in recent days, demonstrating both the inter-related nature of cybersecurity issues facing the country and CISA’s broad portfolio.

For instance, CISA Director Christopher Krebs has offered to assist rural internet providers on Capitol Hill regarding proposals on removing risky foreign-based equipment from telecom networks.

“There’s been a lot of discussion on the Hill about things like rip-and-replace of less than trustworthy equipment,” Krebs said at a meeting of NTCA — The Rural Broadband Association. “How does that actually happen? Who’s going to pay for that?”

Krebs said CISA could help in shaping the security requirements and funding needs of such an endeavor and pass that along to Congress.

“These are the conversations that we want to engage with you,” he said. “What does a plan looks like? What are your the actual requirements? What are the funding demands? And then facilitate that in that conversation with the Hill.”

On another front, CISA in December plans to begin gathering industry input on the findings of an interagency working group on managing the cybersecurity risks from industrial control systems, as part of supply-chain security efforts.

“The timeline is we are going to have an executive committee meeting probably sometime early next year, and the executive committee meeting is going to bring in some senior leaders from private industry to talk to them about the challenges, the risks, but also to hear from them about…their challenges [and] what they need the federal government to do” to help industry address those risks, CISA Deputy Assistant Director Richard Driggers said at a conference last week.

Meanwhile, the National Telecommunications and Information Administration is eager to share more of its work toward establishing greater software transparency with government and industry partners at CISA, as the cyber agency finalizes the agenda for its task force on managing risks to the information and communications technology supply chain.

“Yes, is the short answer,” Kolasky told Inside Cybersecurity, regarding whether CISA’s ICT Supply Chain Risk Management Task Force, which he co-chairs along with leaders from the IT and telecom industries, is examining risks presented by open source software. He added, “I think there’s advantages of open source software in that it allows for more transparency and dynamic modeling.”

Kolasky said the task force is considering “how better to interact with some of the work that’s going on at the Department of Commerce, at the NTIA.”

And a new NIST draft document on recommendations and “best practices” for securing the supply chain of critical infrastructure could factor into the work of a CISA task force on securing the information and communications technology sector, which is developing plans for “next steps” in 2020.

| Inside Cybersecurity: Agency gets praise for risk management; efforts advance along broad front