US CISA launches cyber-risk initiative

By Dylan Bushell-Embling
Tuesday, 19 January, 2021

The US Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center (NRMC) has launched a new initiative aimed at reducing cyber risk to national and economic security.

The Systemic Cyber Risk Reduction Venture will be tasked with developing a framework to assess cyber risk at a national level and promoting tools to address concentrated sources of cyber risk.

In a blog post, CISA Assistant Director for the NRMC Bob Kolasky said reducing cyber risk to national security will require evaluating the cyber impact of an attack or outage of critical infrastructure assets.

“Reducing shared cyber risk necessitates an evolved approach. It requires using the existing efforts around vulnerability management, threat detection, and network defence as a springboard for connecting the relationship between threat, vulnerability, and consequence with actionable metrics that drive decision making,” he said.

The new venture will have three main priorities, Kolasky said, with the first being building the underlying architecture for cyber-risk analysis to critical infrastructure.

The NRMC is building a National Critical Functions Risk Architecture to assess risk to critical assets at a granular level, taking into account its functions, subfunctions, assets and component-level vulnerabilities.

“Ultimately, cyber risk needs to be measured at a national level in terms of loss of functionality. What is the likelihood that a cyber incident can degrade a system in such a way that a function cannot be delivered?” Kolasky said.

“And, if that function is down, what is the impact in terms of core priorities such as safety, security, and economic competitiveness? How do we ensure that cyber incidents cannot cause national security impacts?”

The agency plans to roll out an initial operating capability for this risk architecture in 2021.

The second priority will be to develop cyber-risk metrics that will help the government better understand the relationship between threat, vulnerability and consequence on critical functions, using security ratings as a starting point.

Finally, the new initiative will seek to promote tools to address cyber-risk hotspots, with Kolasky citing the example of risk associated with an insecure software supply chain and increasing reliance on open source libraries. The recent SolarWinds Orion cyber campaign serves as a chilling example, he said.

Accordingly, the agency has prioritised software assurance as an initial area of focus for reducing systemic risk.

Image credit: ©stock.adobe.com/au/estherpoon