CISA’s National Risk Management Center is launching a multifaceted “risk reduction venture” to help organize efforts around analyzing, measuring and providing tools to address cybersecurity risks faced by critical infrastructure.
“Using enterprise risk management best practices will be a focus for CISA in 2021, and today the National Risk Management Center (NRMC) is launching a Systemic Cyber Risk Reduction Venture to organize our work to reduce shared risk to the Nation’s security and economic security,” NRMC Director Bob Kolasky said Thursday in a blog post.
The venture will include building “the Underlying Architecture for Cyber Risk Analysis to Critical Infrastructure”; development of cyber risk metrics; and “Promoting Tools to Address Concentrated Sources of Cyber Risk”.
Kolasky wrote that “sharing information holistically is appropriately an area where the Cybersecurity and Infrastructure Security Agency has invested heavily in maturing the capability we bring to bear for our public and private sector partners. However, information sharing alone will never be a silver bullet. Reducing shared cyber risk necessitates an evolved approach. It requires using the existing efforts around vulnerability management, threat detection, and network defense as a springboard for connecting the relationship between threat, vulnerability, and consequence with actionable metrics that drive decision making.”
He pointed to CISA’s work on identifying National Critical Functions and said “there is currently no ‘engine’ to capture all these data layers in a dynamic analytic tool. Working with Sector Specific Agencies such as the Environmental Protection Agency, the NRMC is currently building a National Critical Functions Risk Architecture to be that engine. Though this is a complex and challenging endeavor, in time, this system of systems will enable us to consistently bring data and insight to bear to answer key cyber risk management questions based on an understanding of potential impact.”
Kolasky said “the National Critical Functions Risk Architecture will grow modularly to illuminate how cyber risk can eventually manifest itself in terms of functional consequence to critical infrastructure at scale. It will enable more targeted, prioritized, and strategic risk mitigation efforts and support community-wide activity around better understanding continuity of the economy resilience.”
On metrics, he said, “We’ll kick off a scoping effort in the coming months, start with narrow and achievable goals, and expand from there.”
Kolasky said, “There’s no need to get bogged down with Greek equations with decimal place-level specificity. Metrics that provide even directional or comparative indicators are enormously helpful.”
He said, “The emergence of security ratings has driven cyber risk quantification as a way to calculate and measure cyber risk exposure. These security ratings provide a starting point for companies’ cybersecurity capabilities and help elevate cyber risk to board decision making. Entities can also use security ratings alongside strategic risk metrics to align cyber scenarios with material business exposure; rollup cyber risks with financial exposure to inform risk management decisions; and measure improvement of cyber risk reduction over time. This kind of work needs to happen in the boardroom and also amongst national security leaders.”
According to Kolasky, “Our goal is to build off these existing efforts, bring these partners into the fold, and welcome others who are eager to add value to these important discussions with the purpose of attaching cyber metrics into the national security decision making space.”
On tools, Kolasky pointed to ongoing initiatives on software security and the work of the CISA-led Information and Communications Technology Supply Chain Risk Management Task Force.
“CISA aims to transition our Task Force work for use across the critical infrastructure community in the year ahead, working closely with other federal partners who have been active in the software assurance and software bill of materials (SBOM) space,” Kolasky said. “We’ll explore other ways to reduce software risk as well, including development of innovative solutions we are funding from the National Laboratories.”
Separately, President-elect Biden last week proposed a funding boost for CISA and for federal technology upgrades in response to the SolarWinds hack.
Internet Security Alliance president and CEO Larry Clinton noted: “The federal government needs to modernize not only its technology but its approach to cyber issues. They can find excellent models in the private sector. Government tends to still view cyber as essentially a technical issue, it’s not. Cybersecurity is an enterprise-wide risk management issue with a technical component. The private sector on the other hand has over recent years increasingly viewed cyber increasingly as a strategic issue. This fundamentally different approach has major implications in terms of how cybersecurity money is spent and as a result can generate increased effectiveness of cyber spending.”