The Army’s Cybersecurity Defense Operations and Research (CDOR) Branch recently published a Sources Sought document, an RFP calling for contractors to help enhance the Army’s ability to identify threat actors, manage risks and proactively enhance “cybersecurity posture”, in service of the Army’s Defend Forward doctrine for the cyber “battlespace.”
All this sounds like a job description for FAIR, the international standard for cyber risk quantification, used in private enterprise for defending forward against cyber risks by giving decision makers a true picture of the probable frequency and impact of potential attacks.
Or, as the Sources Sought document puts it, to “defend better, react faster, coordinate rapidly, prioritize efforts, and respond smarter to security events, increased risks or operational directives.”
FAIR and cyber risk quantification are beginning to make an impact on Federal agencies. The deputy chief information security officer at the Department of Energy, Greg Sisson, recently revealed that he’s holding up a major cloud migration project pending a FAIR analysis. Meanwhile, demand for risk-based analysis is growing at federal agencies – see the recent investigation by the General Accounting Office into their failing risk management practices . A sample quote in the GAO report, from the Department of State’s cybersecurity officer: “It is difficult in a large global enterprise to prioritize actions without credible information on the likelihood of a threat or its impact on the agency’s mission.”
But could the Army adapt FAIR for military duty? I asked Dr. Jack Freund, RiskLens Risk Science Director and co-author with Jack Jones of the FAIR book, Measuring and Managing Information Risk.
Jack’s answer: “Absolutely… to me, this is really around understanding where in the patchwork of federal and private sector critical infrastructure are weak points.”
Hear Jack on the Army’s cybersecurity strategy in this brief podcast or read the transcript below.
Q: Jack, the Army recently published a Sources Sought document, basically an RFP looking for contractors to improve the Army’s ability to identify threat actors, manage risks and proactively enhance cybersecurity posture, as they say.
All this sounds like a job for FAIR quantitative risk analysis. But FAIR is typically used in business cybersecurity. How could the Army adapt FAIR for military duty?
A: That’s a great question, Jeff. And FAIR can absolutely be used in military applications.
Really, the interesting things about this RFP are that we are talking about the need to understand battlespace awareness better and get insight into what are the threats that are coming in to the organization and to the battlespace in general.
They also want to spend some time looking at the secure operating areas which includes a specific call for assessing risk.
All of these are part of the Cyber Command’s new strategy of Defend Forward, looking to conduct more influence operations and protect the critical infrastructure of the United States before bad things happen.
So, to me, this is really around understanding where in the patchwork of federal and private sector critical infrastructure are weak points.
And that comes down to really understanding risk at its core.
So, FAIR is absolutely primed to help with that by helping organizations, public and private, understand where risk exists in the organization by looking at economic impact, as well as getting a handle around how to organize and classify the threat actors and the indicators of compromise and the tactics that these groups may use to rank-order them in terms of what are the priorities for defense.
Q: Well, that’s great insight, Jack. Thanks very much,
A: Thanks, Jeff.