Whether it’s protecting a government-supported effort to produce coronavirus vaccines and treatments, or preventing interference in this November’s election, the Cybersecurity and Infrastructure Security Agency is working with industry partners to stay on top of the latest cyber threats.
In order to get a better sense of the biggest threats to national critical infrastructure, CISA is working with an Energy Department national laboratory to create a new cyber-risk framework.
Daniel Kroese, the acting deputy assistant director of CISA’s National Risk Management Center, said the National Critical Functions Risk Architecture won’t be the “perfect formula that predicts the future” of major cyber risks, but the big-data platform will identify some of the “common pathways” of cyber attacks on sectors such as energy, telecommunications and finance.
CISA’s rollout of its cyber framework comes at a time when the agency has shifted to emerging areas in need of protection, and better to quantify the “cyber loss” from incidents in the private sector.
Kroese said those impacts can include productivity loss, response costs, replacement costs, competitive advantage loss, fines and judgments, and reputational damage.
“If we want to be able to have this understanding of how vulnerabilities connect to observed consequences, we need to have a better way of quantifying and talking about cyber loss, recognizing we’re not going to have decimal-place specificity, we can begin to get a directional understanding to help guide some of these efforts,” he said Tuesday during a virtual cybersecurity conference hosted by Federal Computer Week.
Kroese said that unlike the NIST framework, CISA’s NCF Risk Architecture is more of a data platform than a tangible set of principles and best practices.
“The results of your analysis on there, perhaps we could print out, but I couldn’t just press print on the entire NCF Risk Architecture, because it’s really kind of a big-data, multi-vector solution of stitching together different relational data points and nodes of risk factors across the critical infrastructure community. I think it’s pretty distinct, but certainly not competing in terms of being helpful for resilience for connected systems,” he said.
Kroese said the risk architecture is part of CISA’s efforts to mitigate areas of “concentrated risk,” such as the agency’s work supporting the data and intellectual property behind Operation Warp Speed, the federal government’s effort to support vaccine development and treatment for the coronavirus pandemic.
“That is particularly valuable data right now, as we’ve talked about publicly, how we’ve had a lot of very productive outreach with a lot of these companies to make sure that they take advantage or at least are aware of a lot of the free hygiene scans and other tools that we have available, because right now it is a national and international imperative that there is integrity to that data,” Kroese said.
Following the Pentagon’s announcement Monday to open up military airwaves to support 5G wireless networks, Kroese said CISA has identified software assurance as an area of heightened risk for industry partners.
“Almost everything is either software or firmware-enabled at this point, and you hear the conversations around 5G security and resilience right now and why there’s so much emphasis put on trusted vendors, because you have millions of lines of code and monthly firmware updates, and it sort of makes us realize, whether it’s a backdoor or a bug, or whether it’s intentional or not, when you have the future of conductivity in the 21st century underpinned by all that code, you really need to trust that code,” Kroese said.
CISA has worked with National Telecommunications and Information Administration and other partners to make software bills of materials and other analysis tools available to the critical infrastructure community.
Meanwhile, CISA is also standing up a vulnerability disclosure platform that would standardize the process for security researchers to report vulnerabilities securely throughout the federal government.
“This has been a solid development on the vulnerability management front, not just in terms of what our internal teams triage, analyze and push out alerts on, but also how we’re offering scalable capability to the federal enterprise and mature their processes as well,” he said.
CISA has also pushed out non-binding guidance on how election infrastructure partners, particularly state and locals can create their own vulnerability disclosure programs within the election community.
Kroese said that the program, which CISA launched last month, has been a “watershed change” in terms of building trust with state and local election officials, but it also speaks to the need for broader conversations around the “criticality of data” — both operational data that keeps infrastructure running and personally identifiable information.
“Not all data is as critical as others, and if we only talk about data in a monolithic way, I don’t know if we’re going to have that tactical understanding to really tease out where the risk is,” Kroese said.