Inside Cybersecurity

January 27, 2023

Daily News

Former CISA official Kolasky urges focus on most-critical functions in cyber regulations, legislation

By Charlie Mitchell / May 19, 2022

Bob Kolasky, who formerly led CISA’s National Risk Management Center, says lawmakers and the cyber agency should focus on continuity of the most critical industry functions as Congress considers “strategically important critical infrastructure” legislation and CISA develops rules on incident reporting.

“I’d like to see a little more delineation on what’s most important” in terms of continuity of critical functions, Kolasky said, as CISA writes incident reporting rules under a new law and as lawmakers continue to push for creation of a “systemically important critical infrastructure” designation that could include new resources and responsibilities for certain industry operations.

He said it’s important that cyber best practices are being implemented by so-called “SICI” entities, but that the government doesn’t need to mandate specific controls for companies.

Bob Kolasky

Bob Kolasky, Senior Vice President for Critical Infrastructure, Exiger

Sen. Angus King (I-ME) and House Homeland Security ranking member John Katko (R-NY) have offered different versions of “SICI” legislation while CISA has been implementing what it calls a “strategically important entities” approach under existing authority.

Kolasky appeared Wednesday on a “Washington Post Live” cyber event that also included a panel with Reps. Michael McCaul (R-TX) and Elissa Slotkin (D-MI).

Now senior vice president for critical infrastructure at Exiger, Kolasky was a longtime DHS official who helped launch the Cybersecurity and Infrastructure Security Agency in 2018 and led the risk management center until his departure from CISA in March. Kolasky was interviewed by the Post’s Joseph Marks.

He urged federal officials to focus on operational continuity of the “lifeline” sectors of communications, electricity and banking, and “in particular the hardware and software components that allow those systems to function.”

“A lot more resilience” has been built into the systems in recent years, Kolasky said, while vulnerabilities remain in supply chains. “Managing risk in that space is very important,” he said.

He also discussed DHS’ “pause” on establishing a Disinformation Governance Board, which will now be reviewed by a department advisory committee. The proposed disinformation body came under intense criticism from congressional Republicans and conservative groups, though DHS said its purpose was “grossly and intentionally mischaracterized.”

Asked by Marks about the board, Kolasky said it represented a continuation of long-running and necessary DHS efforts aimed at preventing foreign adversaries from driving the information that Americans consume. CISA’s election security and “rumor control” initiatives fell under Kolasky during his tenure.

He said more work is needed on a “strategy to ensure disinformation doesn’t lead to violent attacks,” and on coordinating with social media companies “to take down” material posted by foreign adversaries. He defined disinformation as “factually untrue and intended to cause harm.”

Congress should be part of the discussion and the challenge should be tackled in a transparent manner, Kolasky said, “but it needs to be addressed.” – Charlie Mitchell (cmitchell@iwpnews.com)