Recently, CrowdStrike held its annual Fal.Con for Public Sector Conference, which brings together leaders and decision-makers from across the public sector, education, and industry to discuss protecting and managing government data and networks. The Fal.Con for Public Sector Conference featured a number of keynote presentations from high-profile government cybersecurity experts and leaders, including the second day’s speaker – Bob Kolasky, CISA Assistant Director for the National Risk Management Center.
During his poignant, albeit brief, speech, Kolasky illustrated the current elevated level of cyber risk facing government agencies, private enterprises, and non-governmental organizations within our country. Pointing to a number of high-profile ransomware attacks that have occurred in just the past year, Kolasky explained that our nation is currently in a “heightened risk period,” and that our current cyber risk is, “higher than you want it to be.”
“We are seeing what is an unfortunate surge in ransomware from organized criminal groups and organized criminal groups that have ties to adversarial governments – and that ransomware surge has challenged us as a country,” Kolasky explained. “Particularly [attacks against] our critical infrastructure operations – like attacks against the Colonial Pipeline and JBS Foods.”
But, as Kolasky illustrated, the attacks aren’t just against private companies that operate our nation’s critical infrastructure. Government organizations are also a target for these criminal organizations. “We’ve also seen ransomware against state and local governments and educational institutions that are taking things offline – taking things that we all depend on offline for a period of time because criminals are trying to achieve financial gain,” Kolasky opined.
However, CISA and the National Risk Management Center are taking active steps to help reduce this risk, which prompted Kolasky to share a short, simple message for these criminal organizations, “Enough is enough.”
To help reduce the risk of cyberattack and ransomware facing our nation, Kolasky laid out a five-step plan that CISA and the current administration is currently implementing. The goal of this plan is to make, “…our cyber systems are more secure, [our country] more resilient, and [make it so] adversaries can’t do things that are going to fundamentally impact our economy, national security or community well-being.”
Those five steps include:
1) Defining national critical functions
To help prioritize activities and technology investments, government and private organizations must first identify what is most important to their operations. To accomplish this, the National Risk Management Center has been working to define critical functions – the systems and operations that, according to Kolasky, “absolutely must work against the challenge of cyber incidents.”
Some examples of critical government functions and systems provided included the ability to move natural resources through pipelines, core communications networks, the ability to secure intellectual property, the ability to conduct elections, supplying water to citizens, and managing the insurance and financial markets, among others.
2) Talking about cyber risk in terms of impact metrics.
To make better business decisions about where to invest in new technologies and which areas to prioritize, it’s essential that the government have an understanding of what can happen as a result of a breach and how a vulnerability can have an impact on the things that matter most to Americans.
By identifying better sources of data and assigning metrics to the cyber challenges facing the nation, the CISA can figure out the true cost of a cyber breach or vulnerability, and make more informed decisions about which systems, operations, and processes need to be secured first, and receive the most focus and investment.
3) Increasing Information sharing.
According to Kolasky, the CISA is working to, “put together a richer information environment,” that will enable them to, “more quickly get information out into the hands of organizations that can do something with that information.” This need for increased cybersecurity information sharing was reflected in the recent cybersecurity-focused executive order issued by the Biden Administration, which illustrates the importance of sharing best practices and threat intelligence to improving cybersecurity statures.
4) Increasing investment in core IT operations.
Making cybersecurity and IT modernization initiatives a priority and an overall larger part of government budgets can ultimately create cyber benefits for agencies. To accomplish this Kolasky explained that the CISA is exploring ways to help state and local governments invest in IT modernization and cybersecurity technologies and initiatives, “through grants and other mechanisms.”
5) Elevating the level of cybersecurity into the overall enterprise risk governance approach.
For cybersecurity to become a priority across the government, it needs to become something that all senior leaders are responsible for, not just the CIO or CISO. Kolasky explained that this could potentially be accomplished by identifying, ”…other financial levers to incentivize investment.” One example involved engaging with the cyber insurance community to help make them a risk mitigation tool and not just a risk transfer – empowering insurance companies to ensure that their client is putting good cybersecurity practices in place as part of their policies.
Kolasky also advocated for systemic solutions for the current cyber risk crisis facing our nation, saying that, “It’s not enough to rely on your CISO to get better at defense. But, when we have nation-states and other criminal organizations with the funds to do things that time and effort, we have to do more than just secure our way out of the problem. We have to create more resilient systems and find more systemic solutions.”