Strategic Risk Management
A Department of Homeland Security center provides the long game of cybersecurity and critical infrastructure protection.
Daily cyber attacks and other threats naturally take up the short-term attention of many governmental agencies, but there is a need for a more strategic look at risks to the nation’s critical infrastructure. A center within the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, is charged with examining how to address concerns in the long-term. Known as the NRMC, the National Risk Management Center functions as CISA’s planning, analysis and collaboration arm, helping the Department of Homeland Security (DHS) to evaluate the interdependencies of the nation’s critical infrastructure and working to identify and take action on the largest risks to the 16 U.S. critical infrastructure sectors, says Daniel Kroese, acting deputy director, NRMC. Essentially, the center focuses on the “long game” of cybersecurity and critical infrastructure protection, by providing long-term efforts aimed at stakeholder development and collective action, cross-cutting various sectors.
“We divide our operations principally into two main buckets,” Kroese explains. “One is analysis of the risks to critical infrastructure, including cybersecurity risks, physical risks, hazards, all of the above. And then the second is executing initiatives based on the high-priority risk areas.”
The NRMC is addressing high-priority risk areas through several initiatives, such as the Tri-Sector Executive Working Group, which engages with the financial services, communications and electricity industries and government representatives. The Pipeline Cybersecurity Initiative coordinates DHS officials with pipeline operators and owners to evaluate the utility sector’s control systems, network design, configuration and interdependencies. The NRMC also focuses on management efforts regarding the security and risks regarding electromagnetic pulse; position, navigation and timing; and unmanned aircraft systems.
Meanwhile, the center’s Election Security and Resilience initiative is working with state and local election officials, law enforcement and the intelligence community to increase information, provide technical assistance and vulnerability assessments, strengthen communication channels and build trust, according to CISA officials.
“Obviously defending democracy and protecting 2020 is not only a top priority for the Cybersecurity Infrastructure Security Agency,” Kroese states. “It is a top priority for the U.S. government. This is a whole of government and whole society effort. Right now CISA is engaging with all 50 states and more than 2,400 other territories on ensuring that they have situational awareness from threat information, are sharing technical expertise in terms of what we’ve done with them on tabletop exercises and sharing best practices. This is really an all-hands-on-deck, full-court-press effort for us.”
Moreover, as the importance of supply chain risk management has grown, the NRMC has spent the last two years focusing on how to confront the systemic vulnerabilities.
“Almost every aspect of critical infrastructure risk management now has some layer of supply chain risk management as a part of it,” he notes. “And as we are going about protecting our digitally connected infrastructure, it is no longer just enough to follow a set of best practices and guidelines and cyber hygiene tips from frameworks. You must do that. But while you’re doing that, you have to ask yourself the questions of, ‘Who am I doing business with? What hardware, software and services am I deploying to do that? Where are those companies based, and who do those companies do business with?’ [This] adds a third-party lens to a lot of the existing cyber and physical infrastructure protection conversations.”
It is the center’s Information and Communication Technologies Supply Chain Risk Management Task Force that performs a large part of CISA’s supply chain risk management efforts, Kroese clarifies.
“The task force has been a really exciting example of how public-private partnership can work,” he offers. “We are trying to solve some really thorny, multidecade problems here. We’re thinking about the future of critical infrastructure in this country and where it’s vulnerable; where the risk is and how we can better harden that infrastructure in a targeted and prioritized way. Those are not easy problems.”
The task force was set up with 60 voting members: 40 people from the largest information technology and communications companies and 20 frontline officials from the U.S. government, as well as a hundred or more support staff. Through four working groups, the task force is pursuing four initial efforts: supply chain threat information sharing; supply chain threat understanding; qualified bidder lists or qualified manufacturer lists; and counterfeit information and communication technologies.
The first working group is tackling risk sharing issues that go beyond the scope of earlier legislative debates about technical cyber threat sharing. “What we were trying to really look at was solving for a different problem, which is, if one private sector entity has suspicion of a vendor that they may or may not choose to do business with, how do they go about sharing that suspicion,” Kroese explains. “That is very different than a set of ones and zeros in terms of structured and automated cyber threat indicators of vulnerabilities. This is something that potentially is more of a qualitative judgment.”
The group is working to distill the barriers that prevent a lot of businesses from sharing the judgments that they may have about the trustworthiness of potential counterparts or third parties. However, with those kind of judgments or suspicions, there are enormous potential civil litigation risks for an organization that shares with their peers why they choose not to do business with a potential third-party vendor, he states. As such, the working group is drafting a set of recommendations, and now into year two, has a subset of lawyers helping to tackle the complicated issue.
Meanwhile, the second working group is examining threat evaluation and understanding. They produced an interim report classifying supply chain threats into nine categories: counterfeit parts; cybersecurity; internal security operations and controls; compromise of system development life-cycle processes and tools; insider threats; inherited risk (extended supply chain); economic; legal; and external end-to-end supply chain.
“When we say supply chain threats, what actually are those threats, because they can be pretty broad,” Kroese states. “And to give a perspective of the scope here, cybersecurity is just one of those nine categories.”
The second working group then mapped the categories to existing industry partnerships or frameworks, and the guidance on best practices around managing the risks. “Ultimately, we came up with an inventory of about 45 different frameworks, whether it’s NIST, or CIS critical security controls, whether it’s ISO [International Organization for Standardization] standards or things of that nature,” he shares. “We’ve gotten good feedback—that it is really helpful to have the universe of existing positive, productive doctrine in this space. From an operator standpoint, if you’re just trying to figure out how in a world of limited resources you manage your organization’s supply chain risk, then that is it.”
The third working group examined issues surrounding lists of qualified bidders and qualified manufacturers. “The goal here was not for our task force to build those lists, but to identify criteria for what would put you on one of those lists in theory, and then also what market segments or application use cases would make the most sense for needing to use one of these lists,” Kroese cites. “They looked heavily at existing best practices of where we already have widely deployed qualified bidder manufacturer lists, whether it’s the GSA [General Services Administration] schedule or the CDM [continuous diagnostics and mitigation] approved products list. They will continue to work on that.”
To Kroese, the fourth workgroup was the most tactical, in trying to solve surrounding issues on counterfeit information and communication technologies. He explains that in the defense industry, there is a Defense Federal Acquisition Regulation Supplement (DFARS) rule that helps protect against such counterfeit technology being procured. The civilian side, however, does not have a corollary rule. “Working group four came out with the recommendation that effectively it can exist in the DFARS regulation and the government can create a federal acquisition rule in the civilian space to mirror that, although some sort of modifications are necessary for some of the nuances around the civilian acquisition world,” he states. “And so that’s perhaps the most targeted and tactical recommendation.”
Notably, the NRMC created a new working group last year to examine the concept of vendor attestation—a measurement or evaluation that a company has achieved a satisfactory level of screening, risk management or software development, for instance—a popular topic in the federal government. “There are a lot of entities out there that generally want to know whether they’re clearing some reasonable threshold of doing enough to manage their supply chain risks and they don’t really have a good one-stop shop of how they can assess themselves against a set of commonly agreed-upon metrics,” Kroese acknowledges. “That’s a big gap in the system currently. And so it is how do we bridge the gap from thousands of pages of widely accepted doctrine, to the rubber-hits-the-road reality of how in a resource-constrained world can well-intentioned risk managers at enterprises get some sort of initial barometer of whether from a supply chain risk management standpoint, they’re clearing a reasonable threshold.”
The new working group is developing a tool that is usable but not necessarily too prescriptive, Kroese adds. “We don’t want to create this with one definitive procurement outcome in mind,” he states. “And obviously we’re not a regulator, so we can’t create this with a regulatory output in mind. We want to produce something that is sort of community-endorsed in terms of its usability and is widely helpful going forward.”