Risk assessment is the key to real cyber hygiene
Every Monday, the Department of Homeland Security’s US-CERT sends a Cyber Hygiene report card to 106 federal agencies, based on scans of their internet-facing systems. The report from the National Cybersecurity Assessments and Technical Services color codes the sites based on vulnerability -- from critical (red) to low (blue) -- and identifies vulnerabilities, such as unsupported systems or web services. In addition, NCATS offers a Risk and Vulnerability Assessment, a package of vulnerability scans, network mapping, phishing and penetration tests.
A tip of the white hat to US-CERT for a tackling cybersecurity for the tangled and aging IT infrastructure behind issues like the Tax Day 2018 Outage at the IRS, which was caused by the failure of an application with coding from the 1960s.
But it’s just a start. Handing an agency a list of color-coded vulnerabilities or compliance deficiencies still leaves it with a job to be done: real risk analysis so decision-makers know how to deploy their scarce budget dollars.
Looking through our FAIR cybersecurity risk analysis lens, the government’s cyber guardians should identify the assets at risk, the likely frequency of attacks on an annual basis and the monetary impact of ongoing attacks to get actionable insight into their current risks and to game out the relative effectiveness of potential controls. Currently, agencies get good visibility into cybersecurity risks, but bad prioritization.
There are signs the feds are moving in the right direction. Edward Brindley, the Defense Department’s principal director for cybersecurity, recently described DOD’s plans to upgrade its cyber hygiene program: “Scorecard version 2.0 will seek to shift our paradigm. Instead of maximizing our cybersecurity compliance, we will shift the focus to managing our cybersecurity risk.” This planned automated scorecard “will integrate new data based on cyber threats, impacts, likelihood and the current data about our vulnerabilities.”
Sounds FAIR-like. And if money talks, federal CIOs will be listening to the $100 million that the Technology Modernization Fund Board has to hand out right now. The board, established by the Modernizing Government Technology Act at the end of last year, will award funding to agencies based on how well they make a “strong business case” for their projects and propose “risk-based, and cost-effective information technology capabilities that address evolving threats to information security.” As an extra incentive to get their risk/controls analysis right, agencies have to repay the funds in five years.