The SolarWinds hack of the software supply chain, as well as the recent ransomware attack against Colonial Pipeline, the critical energy infrastructure company, has elevated the importance of governments adopting a risk-based approach to cybersecurity.
About the author
Adam Vincent is Co-Founder and CEO at ThreatConnect.
Not long after disclosing the SolarWinds attack, the United States Cybersecurity and Infrastructure Security Agency (CISA) announced its Systemic Cyber Risk Reduction Venture. This is an effort to develop actionable metrics and quantify cybersecurity risk across the US’s critical infrastructure sectors, focusing on the relationship between threat, vulnerability, and consequence.
Shortly after this, the UK’s National Cyber Security Centre (NCSC) provided advice and guidance to security teams and IT companies on what actions they should take to minimize the impact on them and their customers. Using tools such as the Cyber Information Sharing Programme (CiSP), they shared technical information on assessing if an organization was at risk and what actions they should take if they were. The industry and government initiative allowed UK organizations to share cyber threat information in a secure and confidential environment, providing organizations the ability to detect early warning of cyber threats and access to free network monitoring reports tailored to organizations’ requirements.
The growing pace and sophistication of nation-state attacks—coupled with an ever-expanding attack surface stemming from continued digital modernization—makes our ability to quantify and prioritize cyber risks accurately an urgent mission. Critical IT infrastructure cybersecurity must adopt a risk-led security strategy backed by a real-time decision and operational support system to ensure it can mitigate future threats. Ultimately, this makes it easier to spot relevant threats and attack patterns and gain the context needed to inform response strategies.
Taking a three-pronged approach
“No longer can cybersecurity conversations be purely focused on IT controls, such as network defense,” said Bob Kolasky, CISA Assistant Director for the National Risk Management Center in the US. “These technical capabilities must be coupled with robust risk-management practices – knowing your major risks, understanding the size of your attack surface, assessing the criticality of your digital infrastructure and then using this awareness to harden systems and add resilience in a targeted and prioritized manner.”
Cybersecurity can no longer be treated as a problem that is too difficult to measure – reducing cyber risk is imperative. The Systemic Cyber Risk Reduction Venture takes a three-pronged approach to evaluate cyber risk at a national level: building the underlying architecture for cyber risk analysis to critical infrastructure, developing cyber risk metrics, and promoting tools to address concentrated sources of cyber risk.
This new process of risk reduction utilizes the so-called Rosetta Stone approach, which translates the technical nature of security into the language of the business or agency. By quantifying cyber risk, CISOs will have the ability to translate cybersecurity into a language that non-technical agency leaders can understand and support from a policy, budgetary, and procedure perspective. Like many businesses, most government agencies don’t know what their exposure is to any given cyber event, including what the potential impacts are in terms of operational disruptions, response costs, and secondary loss. This typically results in a lack of focus on the risks that matter most to the organization.
A starting point: Cyber risk metrics
The development of cyber risk metrics will provide a starting point for private sector companies, particularly those that own and operate critical infrastructure, to elevate cyber risk to their boards of directors and improve decision making. Attaching monetary value to risks can demonstrate to stakeholders what risks matter most, ascertain whether the organization has proper controls in place, estimate the potential financial loss if an attack is successful, and determine what level of security investment is necessary to meet the organization’s risk tolerance.
Automated cyber risk quantification technology takes away the guesswork and enables seamless and data-driven business decisions. Automating this process and supporting it with real-time cyber threat intelligence takes the guesswork, and years of human error, out of the cyber risk quantification equation. Attackers don’t sleep. Nor does your agency and its IT infrastructure. With all three functions operating in a hyperdynamic manner, it is not sufficient to take snapshots or rely on human calculations to quantify your cyber risk. Cybersecurity needs to become a decision support system that operates in real-time rather than waiting for lengthy interviews, training, and manual reviews. This requires automation.
Automated cyber risk quantification is now a reality and many industries will rely on it in the future. Government agencies should move quickly to understand their actual cyber risks better and prioritize mitigation efforts so that critical agency functions, applications, and data are protected. The Systemic Cyber Risk Reduction Venture is a bold first step in improving government and critical infrastructure cybersecurity, and the UK needs to take note and further develop their policies. There is no doubt that the time to introduce automated cyber risk quantification, supported by real-time threat intelligence and automation, is now.