In the wake of the recent discovery of a cyber security breach of a number of federal agencies and even more private sector entities, the Cyber Security and Infrastructure Security Agency (CISA) has introduced a new effort aimed at reducing cyber risks nationwide through better use of data, quantifying risks, and attacking areas where risks are concentrated.

The Systemic Cyber Risk Reduction Venture will be led by CISA’s National Risk Management Center (NRMC), which works with critical infrastructure stakeholders in the private and public sectors to identify risks and create resiliency.

Information sharing about cyber threats and best practices is, and will remain, an important role for CISA and for strengthening the nation’s cyber risk posture, but “information sharing alone will never be a silver bullet,” Bob Kolasky, an assistant director of CISA in charge of the NRMC, wrote in a Jan. 14 blog post on the agency’s website. “It requires using the existing efforts around vulnerability management, threat detection, and network defense as a springboard for connecting the relationship between threat, vulnerability, and consequence with actionable metrics that drive decision making.”

The hack into federal and private networks was done through patches to a management software supplied by SolarWinds [SWI] that is widely used in information networks. The exploit was new, so it wasn’t based on a cyber threat that had previously been seen, making it easier for the malware to reside undetected.

CISA is a component of the Department of Homeland Security.

Kolasky said the new risk reduction effort will have three main lines of effort. The first is a National Critical Functions Risk Architecture that captures data around the interdependencies and related vulnerabilities within a critical infrastructure area and puts it through a “dynamic analytic” engine. The architecture will be that engine with an initial operating capability ready this year for use “in shared cyber decision-making at the national level,” he said.

The consequences of potential risks need to be understood, Kolasky said.

“Ultimately, cyber risk needs to be measured at a national level in terms of loss of functionality,” Kolasky said. That means, what can happen to systems as a result of a cyber incident, how will it impact safety or economic competitiveness, and if an incident happens, how can national security impacts be mitigated or negated, he said.

The second line of effort is developing metrics for cyber risk “to quantify cyber risk in terms of functional loss,” Kolasky said. This doesn’t mean “Greek equations with decimal place-level specificity,” he added, saying that “Metrics that provide even directional or comparative indicators are enormously useful.”

Kolasky said security ratings being used to quantify cyber risk can be used with other risk metrics to inform corporate managers and national security leaders. The NRMC plans to begin work here in the coming months.

The final line of effort involves “finding concentrated sources or risk that, if mitigated, provide heightened risk management bang for the buck if addressed,” he said. One example of concentrated risk is in software like open-source libraries riddled with coding flaws that can lead to vulnerabilities in systems using this software.

“Relatedly, the SolarWinds Orion cyber campaign has highlighted how tools that typically leverage a significant number of highly privileged accounts and access to perform normal business functions can themselves become adversarial attack vectors if sufficiently hardened,” Kolasky said.

The NRMC, though its Information and Communications Technology Supply Chain Risk Management Task Force, has been working to address risks by prioritizing software assurance to identify risk and create tools and guidance for companies and the government to “reduce risk from software supply chains,” he said.

In 2021, the ICT Supply Chain Risk Management Task Force will begin working across the critical infrastructure community and federal government on reducing software risks, he said.