Inside Cybersecurity

September 22, 2020

Daily News

Todt: CISA’s critical functions risk analysis hub creates opportunity to evolve relationships with industry

August 18, 2020

Cyber policy veteran Kiersten Todt says the CISA effort to create an analytical hub for matching vulnerabilities and potential consequences across critical infrastructure sectors offers a unique opportunity to push government-industry collaboration to a new level.

The platform under development at the Cybersecurity and Infrastructure Security Agency would be available to federal agencies as well as bodies like the Federal Acquisition Security Council, Committee on Foreign Investment in the United States and the Federal Communications Commission, a CISA official said last week, and is expected to be of interest to industry as well.

Todt, who heads the Cyber Readiness Institute and was executive director of the 2016 Commission on Enhancing National Cybersecurity, suggested that CISA should reach out to the private sector at the front end as it builds the platform. “My sense is they will be reaching out, probably starting with the interagency work and then building out,” she said.

Kiersten Todt

Kiersten Todt, Managing Director, Cyber Readiness Institute

“This is about three pieces,” Todt told Inside Cybersecurity. The initiative creates a common language around threat assessment and risk analysis across the federal government and between government and industry, Todt said, with an eye on how critical infrastructure is evolving through technology and social media.

Second, she said, it “maps the architecture in order to better plan for low-probability, high-impact events.”

And third, the platform can “create a diverse hub of activity around information sharing, it’s an evolution of things that have been happening” in the info-sharing space. “There has to be more value than just telling industry you have to share data.”

The initiative is timely and welcome, Todt said, because “it is time to be rethinking critical infrastructure and functions.”

CISA official Daniel Kroese explained last week that the agency is developing a platform that can leverage work across 16 critical infrastructure areas to determine areas of critical risk, with an eye toward building an analytic hub as a “best in breed U.S. government solution.”

Kroese said the platform would be available to federal agencies and that a “range of private sector customers” might be interested as well.

“The idea is to create a scalable multi-dimensional technology enabled platform that will capture, store and analyze multiple axes of threat vulnerability and consequence data points across multiple layers of critical infrastructure equities whether that is sectors, assets, organizations, functional delivery networks, subfunctions, systems, enabling technologies, componentry, etc.,” Kroese said.

Todt noted that stakeholders should “make sure it is best in breed, and the key to that is bringing in the private sector and making them part of the building process. The partners -- agencies and the private sector -- have to be part of the building so that it’s relevant.”

The concept of the hub “represents progress,” Todt said, but it “needs resources and buy-in across government. It also requires leadership.”

“DHS recognizes this, it’s part of a transformation at CISA that includes a focus on incident response, moving to the cloud, and steps like transferring [management of] the continuous diagnostics and mitigations program to the [DHS] Quality Service Management Office,” she said.

An industry source cited potential concerns about the government’s data collection under the initiative, saying it could raise regulatory issues. But Todt said such concerns could addressed at the front end.

“This is part of that overall transformation -- and it requires partnership,” Todt said. “The key is, it has to be done with industry, bring them in on what data is collected and get the buy-in. You can avoid regulatory concerns about data collection.”

She said, “The sequencing is important. Business should be brought in at the start to provide wish lists. I don’t get the sense at all that they want to ‘impose’ anything through this initiative. … You want to get the federal agencies to buy into the program, and that will give industry more reason to join a collaborative effort.”

Todt said the COVID-19 pandemic “has shown us what happens when we’re not prepared for a low-probability, high-impact event,” and praised the CISA initiative for “mapping vulnerabilities and risk.” -- Charlie Mitchell (cmitchell@iwpnews.com)