The outgoing leader of CISA’s National Risk Management Center says ongoing efforts to strengthen relationships with industry around critical infrastructure security are an important component to CISA’s mission and one that he hopes will continue developing as risks evolve over time.
The structure of the work with industry through DHS and the Cybersecurity and Infrastructure Security Agency has been “pretty consistent,” Bob Kolasky said, since he joined DHS in 2008. Because of that standardization, Kolasky said industry has been willing to “invest and partner with government” over the years.
Kolasky said, “What’s changed is the depth and breadth of using that structure to do partnerships and the trust and collaboration that is built over time.” The consistency was built out of the “way we’ve interacted with industry, particularly on cybersecurity issues,” and it “has been helpful,” he said.
Bob Kolasky, Director of CISA’s National Risk Management Center
He noted that the U.S. is facing many challenges when it comes to “cyber risks and the capabilities of our adversaries. While we as a country have gotten significantly better at cybersecurity, our adversaries are continuing to invest in the ability to cause harm through cyber ways.”
As a result, Kolasky said, “The urgency in terms of dealing with the risks has also been a big factor, which causes us to look for closer operational collaboration and that’s an area where we’ve made great progress over the last couple of years.”
Kolasky spoke with Inside Cybersecurity about the evolution of CISA’s risk management work and cybersecurity activities since the start of his career at DHS and subsequent transition to lead the NRMC at CISA when the cyber-focused agency was created in 2018. His last day at the agency is Friday.
At CISA, Kolasky led the development of National Critical Functions, an effort to determine the most significant critical infrastructure risks across sectors that impact national security.
“There has to be a collective understanding that there is responsibility across components to contribute to risk reduction,” Kolasky said. “And that’s helped us establish new partnerships and think through different ways to address those risks. Ultimately, that’s the goal, to get to more resilient, more secure functions to mitigate risk.”
Kolasky said, “I think that is part of why they are a big deal because they are allowing us to mitigate risk for things that are most critical to our economy, national security and our communities.” CISA’s work to model risks using the critical functions structure has allowed the agency to understand where “investments” should be made and “then when incidents potentially happen whether those incidents present significant risk at the national level,” he said.
“The analytic framework models behind the critical functions are the behind the scenes stuff that we do at the National Risk Management Center, which we’ve made good progress on,” Kolasky said. “I think and hope I’ve set the foundation that the NRMC will continue to build out these risk models where we have a rich understanding of risk to the nation’s critical infrastructure from cyber and other things that can cause functional loss.”
Election security
Kolasky has contributed to CISA’s work on election security since the sector was declared critical infrastructure following the 2016 election cycle.
Kolasky said, “The first major issue to work through was the ability to share information on threats and vulnerabilities and to be in regular communications about anything that we saw which could impact election infrastructure.” CISA worked to distribute the information “broadly across the state and local election community so others could orchestrate their defenses to where we saw threats and vulnerabilities,” he said.
Part of that effort involved investing in the Election Infrastructure Information Sharing Analysis Center as well as “setting up communications protocols where we have established processes to share knowledge of anything impacting election infrastructure around cyber threats,” Kolasky said, adding “that work was instrumental with building up trust with the state and local election community” who CISA supports.
CISA’s efforts have been “non-partisan,” with 39 secretaries of state across the country participating, but the effort was scrutinized by the Trump White House following the 2020 election and resulted in the firing of Christopher Krebs, CISA’s first director, by President Trump.
Kolasky said, “Chris would be the first to say we had general support within DHS to do our work through the totality of the Trump administration. … Things may have been different at the White House level and there might have been political pressures coming from different areas [but] within the agency and the department, they gave us to support to go out and do non-partisan elections cybersecurity.”
Kolasky said he appreciates Krebs’ leadership on elections and there was also a larger group within the agency and DHS “who believe this was important.” Former Washington Secretary of State Kim Wyman currently leads CISA’s election security work.
Supply chain initiatives
CISA stood up a public-private supply chain task force in 2019 with Kolasky as the government co-chair to bring together government leaders and representatives from the IT and telecom sectors to solve complex issues.
The Information and Communications Technology Supply Chain Risk Management Task Force has produced reports on several topics including information sharing, threat analysis, qualified bidder and manufacturer lists, vendor assurance and supply chains impacts from the COVID pandemic.
Kolaksy said he measures the task force’s success by the continued involvement of “our partners in the interagency and the sectors” in the working groups and hopes the task force “will continue to be center of gravity for some shared work across supply chain risk management.”
“The task force has established itself as a structure where we can work high priority supply chain issues. A lot of that is driven by what is going to help industry do a better job of managing their own supply chain risks,” Kolasky said.
DHS and the Commerce Department released a major report in February on the ICT supply chain that contains several recommendations for the government and Congress to help revitalize the industrial base.
Kolasky said, “The report laid a good roadmap for the country to make progress in having a stronger ICT industrial base and having more confidence in the industrial base writ large, even parts that are international but which we rely on. One of the big policy goals should be to connect economic policy, international policy and security policy in a more harmonized way, where we can see real investments from the government and industry in strengthening the country and our economy but in a way that leaves us more secure and resilient.”
Kolasky is leaving government for the private sector, where he will join technology and risk management firm Exiger as senior vice president for critical infrastructure.
“I will be a cheerleader for the CISA mission,” Kolasky said. “Industry is part of the overall ability to achieve more critical infrastructure risk management so I don’t feel like I’m leaving the mission. I feel like I’m doing it from a different perch bringing to bear next generation analytics [which] is going to help us better understand risk.” -- Sara Friedman (sfriedman@iwpnews.com)