Outgoing Official Pushes for CISA Shift from Risk Advisor to Risk Reducer

Benjamin Applebaum/DHS

After almost a decade and a series of massive intrusion campaigns, government and industry may finally be ready to have the crucial talk about cybersecurity metrics they’ve been avoiding.

Leaving his post for a job in the private sector, Bob Kolasky, director of the Cybersecurity and Infrastructure Security Agency’s National Risk Management Center, wants CISA to embrace a more proactive role in helping to methodically reduce the considerable cybersecurity risk facing U.S. critical infrastructure.  

“We don't call ourselves the nation's risk advisor anymore,” said Kolasky, who served his final day in government Friday. “We want at CISA to really reduce risk, and that means being able to measure risk to some degree and to do the thinking there.”

Kolasky, who is set to start as senior vice president for infrastructure at the artificial intelligence-focused risk management firm Exiger, started working on risk management for the Department of Homeland Security in 2008. He shared insights with Nextgov from a front row seat on how cybersecurity policy has evolved—and failed to evolve—over the course of the last near-decade.

Perhaps the biggest catalyst in that period happened only in Dec. 2020, when suspected Russian hackers penetrated systems of two major vendors of commercial information technology—SolarWinds and Microsoft—gaining potentially enduring access to associated victim networks, including those of nine federal agencies.

Kolasky said it’s appropriate to place cybersecurity in the context of risk management, but that “the goal is to make the country more secure, and that there are systemic ways to do that. There are things we're talking about that are fundamentally [about] market conditions and software and hardware, writ large … service providers, [Information Communications Technology] enablers, other ways to reduce risk, and I just hope we keep a focus on the ultimate goal of systemic risk reduction.”

Nine years ago, in February of 2013, regulation of commercial IT services for cybersecurity was not on the agenda for President Barack Obama. Executive Order 13636, which generated the National Institute of Standards and Technology’s Cybersecurity Framework for critical infrastructure, barred the secretary of Homeland Security from classifying commercial IT services as “critical infrastructure.”

“The Secretary shall not identify any commercial information technology products or consumer information technology services,” under section 9 of the order.

Such section 9 entities, as they came to be known, were assigned sector-specific risk management agencies that were supposed to assess infrastructure owners’ success adopting the NIST framework, which references various standards to guide the implementation of security controls but allows entities flexibility to choose which ones they use based on how much risk they’re able to stomach.

But in February, nearly a decade later, the Government Accountability Office was still recommending that agencies collect the information necessary to assess the framework’s adoption. “In prior reports, GAO recommended that the nine [sector-risk management agencies] (1) develop methods for determining the level and type of framework adoption by entities across their respective sectors and (2) collect and report sector-wide improvements,” GAO wrote. “Most agencies have not yet implemented these recommendations.”

“In that executive order there were performance goals, there were incentives and there was the Cybersecurity Framework. In 2013, the only thing that really got a ton of traction was the cybersecurity framework,” Kolasky said. 

EO 13636 tasked the Departments of Homeland Security, Commerce and Treasury with studying potential incentives for encouraging the private sector to appropriately adopt the Cybersecurity Framework. Among the recommendations was the use of the procurement lever President Joe Biden relies on in his own cybersecurity executive order. 

Following the SolarWinds-Microsoft hacking campaign and other critical infrastructure breaches, including the Colonial Pipeline ransomware attack, Executive Order 14028 issued May, 2021, will require federal agencies to adhere to a new NIST framework, one of secure software development standards. Future procurements could require at least an attestation of adherence to the Secure Software Development Framework, and commercial information and communications technology definitely qualifies as critical this time around, Kolasky said. 

“We can have a conversation with industry. I think we’re much more mature [now] about having that conversation: are we where we need to be in adoption of the framework to accomplish the cybersecurity goals we're trying to accomplish?”

That conversation is again nigh. Last July, Biden also issued a National Security Memorandum refreshing Obama’s order on the development of performance standards for critical infrastructure, something to measure their success with the 2013 framework against, a sort of “standard of care” Kolasky and others have been calling for since the framework’s introduction.

“Explore models of cybersecurity investment and markets; develop data models, ontologies and automatic means of anonymizing or sanitizing data; define meaningful cybersecurity metrics and actuarial tables,” reads the DHS incentives document Kolasky says he was “heavily involved” in creating under the 2013 order. 

Kolasky said greater harmonization on what a cross-sector standard of care should look like and how it should be used along with various incentives—including the potential for liability in the case of failure to adhere, or safe harbor from liability in the case of adherence—is where the government needs to be focused now.  

But some of the same conditions that stunted the full blossoming of EO 13636 may still be haunting EO 14028.

“It's not that there aren't places where you couldn't use some sort of regulatory authority to advance cybersecurity goals, it's that it's very piecemeal, and in certain areas, you don't have it,” Michael Daniel, president of the Cyber Threat Alliance, a non-profit for intelligence sharing amongst cybersecurity firms, told Nextgov. “So, for example, there's really not a lot of regulation over cloud service providers.”

The Federal Communications Commission might soon disagree there. The commission recently launched a notice of inquiry to address vulnerabilities in the Border Gateway Protocol, the Internet’s routing system, which the commission warned can be hacked to redirect traffic to adversary servers. The commission is also taking other actions to secure the supply chain of information and communication technologies with a broadening view of what falls within its remit. 

But agencies like the FCC are exactly what makes harmonization tricky, said Daniel, who worked with Kolasky on the implementation of the Obama order as a special assistant to the president and cybersecurity coordinator on the National Security Council.

“Many of the regulatory agencies are independent regulators, and that's good, but it does mean that it is harder to coordinate with those agencies because when you are in the White House, the thing that the independent agencies will remind you of is their independence, at every possible turn,” Daniel said.

Biden’s FCC is currently seeking comments on its authority to regulate secure internet routing, not just through wireline and wireless ISPs, but also “Internet Exchange Providers, interconnected VoIP providers, operators of content delivery networks, cloud service providers and other enterprise and organizational stakeholders.” 

“There were areas that we weren't ready as a country [to approach in 2013],” Kolasky said, “and I think we're much more ready [now]."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.