Security

New Threat Metrics Can Help Improve Federal Cybersecurity

Cyber risk management is more than just sharing information; it includes analyzing existing and potential risk.

Bob Kolasky is the assistant director of the Cybersecurity and Infrastructure Security Agency’s National Risk Management Center.

Whether it’s ransomware affecting schools and hospitals or data exfiltration compromising Americans’ sensitive information, the impact of cybersecurity on our daily lives is more visible than ever.

We live in a connected world where a vast sea of information about cyberthreats, vulnerabilities and incidents washes over us daily. In response, we have deepened the partnership between government and industry to share these data points, to provide tools to increase visibility and to assist with response and remediation.

This is important work, and sharing information holistically is an area where the Cybersecurity and Infrastructure Security Agency has invested heavily in maturing the capability we bring to bear for our public and private sector partners.

However, information sharing alone will never be a silver bullet. Reducing shared cyber risk requires an evolved approach.

It means using existing efforts around vulnerability management, threat detection and network defense as a springboard for connecting the relationship between threat, vulnerability and consequence with actionable metrics that drive decision-making.

Click the banner below to get access to customized security content by becoming an Insider.

The Right Resources for Critical Infrastructure

As one of our first steps, we must build the underlying architecture to conduct cyber risk analysis for critical infrastructure. Critical infrastructure is supported by a dependent web of hardware, software, services and other connected components.

Take the example of supply water, which CISA’s National Risk Management Center (NRMC) has designated a National Critical Function. Water supply and treatment interact with utilities; assets such as reservoirs; and internet-connected technology. These systems connect and depend on one another to operate.

However, there is no engine that captures all these data layers in one dynamic analytic tool. Working with sector-specific agencies such as the Environmental Protection Agency, the NRMC is building a National Critical Functions risk architecture to be that engine.

This is a complex and challenging endeavor. In time, however, this system of systems will enable us to consistently harness data and insight to answer key cyber risk management questions based on an understanding of potential impact.

Supporting efforts to better grasp the impact of cyber risk across the critical infrastructure community will involve developing usable metrics to quantify cyber risk in terms of functional loss.

The goal is to more precisely understand the relationship between threat, vulnerability and consequence on critical functions, and to bring that thinking into cost-benefit analysis for mitigating risks.

The emergence of security ratings has increased the use of cyber risk quantification to calculate and measure cyber risk exposure. These security ratings provide a starting point for companies’ cybersecurity capabilities and help elevate cyber risk to the level of board decision-making.

Our goal is to build off existing efforts, bring these partners into the fold and welcome others who are eager to add value to these important discussions to help attach cyber metrics into the national security decision-making space.

Mitigating Cyber Risk Through the Right Metrics

Also central to our venture to reduce systemic cyber risk is finding concentrated sources of risk that, if mitigated, provide heightened risk management bang for the buck.

One example is software risk. We’ve seen how a nonsecure software supply chain and increasing reliance on open-source libraries can expose us to the risk of a digital pandemic of sorts. The ubiquity of coding flaws across connected systems can create an opportunity to affect National Critical Functions.

This risk is no longer hypothetical.

Over the past two years, we’ve worked through a public-private Information and Communications Technology (ICT) Supply Chain Risk Management Task Force to identify supply chain threats, including those derived from software, and to develop guidance and tools to help ICT companies and their customers, including the federal government, reduce risk from software supply chains.

Our mission demands that we better understand and address systemic cyber risk. The steady drumbeat of the importance of cyber essentials must be complemented with a more advanced understanding of how cyber risk manifests itself in an interconnected world.

simonkr/Getty Images