It’s been a pivotal week in US government cybersecurity. The White House eliminated the role of cyber coordinator, sending ripples of concern through the industry that the Administration was moving the issue to the back burner by handing it off to lesser officials in the National Security Council. At the same time, the government rolled out cybersecurity plans from the Department of Homeland Security and Department of Energy with very much the opposite message, a heavy emphasis on cyber defenses, especially up-leveling the focus on cyber risk.
Department of Energy Multiyear Plan for Energy Sector Cybersecurity
This five-year plan from the DOE’s Office of Electricity Delivery and Energy Reliability comes in an increasingly worrisome threat landscape–76% of utility executives surveyed by Utility Dive see a cyberattack on the electric grid as likely in the next five years. The DOE’s strategies fall under two headings: “strengthen today’s energy delivery system” and “develop game-changing solutions.”
“Anticipating and reacting to the latest cyber threat is a ceaseless endeavor that requires ever more resources and manpower. This approach to cybersecurity is not efficient, effective, nor sustainable in light of escalating cyber threat capabilities. We must recognize today’s realities: resources are limited, and cyber threats continue to outpace our best defenses. To gain the upper hand, we need to pursue disruptive changes in cyber risk management practices…
“DOE will use risk-based methods to make decisions and prioritize activities to support the risk management responsibilities of energy owners and operators.”
Department of Homeland Security Cybersecurity Strategy
The new plan from DHS puts risk identification at the top of the agenda as the first of five “pillars” that support its goals in cybersecurity for the next five years.
“DHS must understand the global cybersecurity landscape and associated risks at the strategic level to effectively allocate our resources and prioritize departmental efforts to address vulnerabilities, threats, and consequences across all of our cybersecurity activities.”
The document evokes the 9/11 attacks implicitly, saying “we must anticipate the changes that future technological innovation will bring, ensure long-term preparedness, and prevent a ‘failure of imagination’.” To that end, DHS promises to build its capability to “identify evolving cybersecurity risks” and “address gaps in analytic capabilities and risk management efforts across DHS and national cybersecurity stakeholders.”
Both 5-year plans take a remarkably risk-aware approach, compared to what has been the government’s go-to methodology, adding more and more controls based on standard compliance checklists, such as NIST CSF. The compliance-equals-security model is severely being stressed, as the DOE plan says, as the vast volume of attacks “continue to outpace our best defenses.”
But the feds still have a road to travel. Case in point: the DHS’s US-CERT sends a weekly Cyber Hygiene Report Card to 106 federal agencies that rates (from red for “critical” to blue for “low”) their websites for vulnerabilities such as unsupported systems or web services.
Handing an agency a list of color-coded vulnerabilities or compliance deficiencies still leaves a job to be done: real risk analysis so decision makers know how to deploy their scarce budget dollars. Vulnerabilities aren’t risks by themselves. To borrow from FAIR terminology, risks are the probable magnitude and probable frequency of future losses, and risks can be estimated in monetary terms. Color-coded report cards don’t point the way to financially based decision making, in or out of government.
At least in concept (and in words) these two 5-year plans are good down payments on a more risk-aware future. As always – in both the public and private sectors – the question is, will we get it right and recognize the true benefit we’re striving for – or will we accept watered down versions of the dream which do little more than reshuffle the cards on strategies we already employ and which have proven time and again to fail.
We’re pulling for the latter (of course) – as we truly believe that if the cybersecurity community adopts an actual risk-based approach to evaluating, managing and resourcing security decisions, we’ll finally gain better footing against our adversaries.