CISA's 'next frontier' around cyber data analytics

The Cybersecurity and Infrastructure Security Agency is planning a multi-year effort to beef up its data analysis capabilities to help government agencies and the private sector better quantify how digital threats and system vulnerabilities affect not just intended victims but also the broader critical infrastructure community.

The National Risk Management Center at CISA views its core mission as two sides of the same coin. One side involves continuing to push patch management, cyber hygiene and other basic blocking and tackling activities. The little things that organizations still don't take seriously enough and have helped contribute to a noted increase in successful ransomware attacks over the past few years.

The other side is maturing CISA's data operations to "aggressively enhance our understanding of the analytics science behind cyber risk management." Specifically, the agency wants to get a more granular picture of questions that were previously viewed as too hard to quantify, like how much the increasingly interdependence of critical infrastructure sectors and their technologies meaningfully increase the nation's collective cyberattack surface.

"It's about identifying these concentrated sources of risk, where our collective remediation activity is most likely to have an outsized bang for our risk management buck," Said Daniel Kroese, Deputy Assistant Director of the NRMC while speaking at FCW's Cybersecurity Workshop Aug. 11.

On vulnerability management, the more data crunching capabilities CISA has, the more it can contextualize and customize measurements of impact for individual victims or industries to go beyond its previous "here's something bad: patch it" advice to potential victims. Kroese laid out a hypothetical scenario where the agency would use enhanced analytics to categorize and capture a vulnerability using the Common Vulnerability Scoring System, determine what systems would be affected if exploited, estimate the number and criticality of those systems and build a heat map of affected systems across critical infrastructure.

The end goal is not to tell the future but to get a place where CISA can answer questions like "where are these systems with this vulnerability of this severity score in a system of high consequence" in the financial or electricity sector, which can then help prioritize other agency resources and activities. It can also help better flesh out how much an organization truly loses as the result of a cyberattack, from direct observable costs and productivity loss to fines, legal judgements and reputational damage.

"We want to have a scalable engine we can invest in that is ingesting multiple axes of information about this risk equation that then allows us to go in and interrogate that data set [further]," Kroese said.

Some of the foundational work for this goal has already been done. The National Risk Management Center spent a year developing a list of national critical functions – like a functioning Internet, the Global Positioning System or air and cargo transport – that would have cascading, negative effects across different industries if they were disrupted in a cyber or kinetic attack. The COVID-19 pandemic has also offered a real-life stress test of the U.S. supply chain that has allowed the agency to further map out additional functions and spot new weaknesses.

It will likely take years to develop and scale additional capabilities, but CISA has made a number of investments already. For example, the agency is working with national labs to create a new risk rating scoring system for the most common pathways that cyber incidents tend to take so defenders can quickly answer "how bad of a day could this really be?" when faced with a specific vulnerability. Such insights might have helped to dampen the impact of malware like NotPetya, which quickly spread beyond its targeted victims in Ukraine and caused an estimated $10 billion in damages worldwide as other companies and industries with the same vulnerability were infected.

"Obviously…no two cyber incidents are totally the same, but based on the characteristics, the threat actor, the systems, the criticality of the systems, the attack vector, the type of malware or whatever it is, you can start to map out some common pathway to how consequences can manifest itself," said Kroese.