After almost a decade and a series of massive intrusion campaigns, government and industry may finally be ready to have the crucial talk about cybersecurity metrics they’ve been avoiding.
Leaving his post for a job in the private sector, Bob Kolasky, director of the Cybersecurity and Infrastructure Security Agency’s National Risk Management Center, wants CISA to embrace a more proactive role in helping to methodically reduce the considerable cybersecurity risk facing U.S. critical infrastructure.
“We don't call ourselves the nation's risk advisor anymore,” said Kolasky, who served his final day in government Friday. “We want at CISA to really reduce risk, and that means being able to measure risk to some degree and to do the thinking there.”
Kolasky, who is set to start as senior vice president for infrastructure at the artificial intelligence-focused risk management firm Exiger, started working on risk management for the Department of Homeland Security in 2008. He shared insights with Nextgov from a front row seat on how cybersecurity policy has evolved—and failed to evolve—over the course of the last near-decade.
Perhaps the biggest catalyst in that period happened only in Dec. 2020, when suspected Russian hackers penetrated systems of two major vendors of commercial information technology—SolarWinds and Microsoft—gaining potentially enduring access to associated victim networks, including those of nine federal agencies.
Kolasky said it’s appropriate to place cybersecurity in the context of risk management, but that “the goal is to make the country more secure, and that there are systemic ways to do that. There are things we're talking about that are fundamentally [about] market conditions and software and hardware, writ large … service providers, [Information Communications Technology] enablers, other ways to reduce risk, and I just hope we keep a focus on the ultimate goal of systemic risk reduction.”
Nine years ago, in February of 2013, regulation of commercial IT services for cybersecurity was not on the agenda for President Barack Obama. Executive Order 13636, which generated the National Institute of Standards and Technology’s Cybersecurity Framework for critical infrastructure, barred the secretary of Homeland Security from classifying commercial IT services as “critical infrastructure.”
“The Secretary shall not identify any commercial information technology products or consumer information technology services,” under section 9 of the order.
Such section 9 entities, as they came to be known, were assigned sector-specific risk management agencies that were supposed to assess infrastructure owners’ success adopting the NIST framework, which references various standards to guide the implementation of security controls but allows entities flexibility to choose which ones they use based on how much risk they’re able to stomach.
But in February, nearly a decade later, the Government Accountability Office was still recommending that agencies collect the information necessary to assess the framework’s adoption. “In prior reports, GAO recommended that the nine [sector-risk management agencies] (1) develop methods for determining the level and type of framework adoption by entities across their respective sectors and (2) collect and report sector-wide improvements,” GAO wrote. “Most agencies have not yet implemented these recommendations.”
“In that executive order there were performance goals, there were incentives and there was the Cybersecurity Framework. In 2013, the only thing that really got a ton of traction was the cybersecurity framework,” Kolasky said.
EO 13636 tasked the Departments of Homeland Security, Commerce and Treasury with studying potential incentives for encouraging the private sector to appropriately adopt the Cybersecurity Framework. Among the recommendations was the use of the procurement lever President Joe Biden relies on in his own cybersecurity executive order.
Following the SolarWinds-Microsoft hacking campaign and other critical infrastructure breaches, including the Colonial Pipeline ransomware attack, Executive Order 14028 issued May, 2021, will require federal agencies to adhere to a new NIST framework, one of secure software development standards. Future procurements could require at least an attestation of adherence to the Secure Software Development Framework, and commercial information and communications technology definitely qualifies as critical this time around, Kolasky said.
“We can have a conversation with industry. I think we’re much more mature [now] about having that conversation: are we where we need to be in adoption of the framework to accomplish the cybersecurity goals we're trying to accomplish?”
That conversation is again nigh. Last July, Biden also issued a National Security Memorandum refreshing Obama’s order on the development of performance standards for critical infrastructure, something to measure their success with the 2013 framework against, a sort of “standard of care” Kolasky and others have been calling for since the framework’s introduction.
“Explore models of cybersecurity investment and markets; develop data models, ontologies and automatic means of anonymizing or sanitizing data; define meaningful cybersecurity metrics and actuarial tables,” reads the DHS incentives document Kolasky says he was “heavily involved” in creating under the 2013 order.
Kolasky said greater harmonization on what a cross-sector standard of care should look like and how it should be used along with various incentives—including the potential for liability in the case of failure to adhere, or safe harbor from liability in the case of adherence—is where the government needs to be focused now.
But some of the same conditions that stunted the full blossoming of EO 13636 may still be haunting EO 14028.
“It's not that there aren't places where you couldn't use some sort of regulatory authority to advance cybersecurity goals, it's that it's very piecemeal, and in certain areas, you don't have it,” Michael Daniel, president of the Cyber Threat Alliance, a non-profit for intelligence sharing amongst cybersecurity firms, told Nextgov. “So, for example, there's really not a lot of regulation over cloud service providers.”
The Federal Communications Commission might soon disagree there. The commission recently launched a notice of inquiry to address vulnerabilities in the Border Gateway Protocol, the Internet’s routing system, which the commission warned can be hacked to redirect traffic to adversary servers. The commission is also taking other actions to secure the supply chain of information and communication technologies with a broadening view of what falls within its remit.
But agencies like the FCC are exactly what makes harmonization tricky, said Daniel, who worked with Kolasky on the implementation of the Obama order as a special assistant to the president and cybersecurity coordinator on the National Security Council.
“Many of the regulatory agencies are independent regulators, and that's good, but it does mean that it is harder to coordinate with those agencies because when you are in the White House, the thing that the independent agencies will remind you of is their independence, at every possible turn,” Daniel said.
Biden’s FCC is currently seeking comments on its authority to regulate secure internet routing, not just through wireline and wireless ISPs, but also “Internet Exchange Providers, interconnected VoIP providers, operators of content delivery networks, cloud service providers and other enterprise and organizational stakeholders.”
“There were areas that we weren't ready as a country [to approach in 2013],” Kolasky said, “and I think we're much more ready [now]."