Nothing looms larger in the policy gunsights of the Biden administration than cybersecurity – both in the Federal and private sectors – and how to improve it.
The last several months of high-profile cyberattacks on government and critical infrastructure networks across the United States and beyond have elevated the issue to U.S.-Russia summit-level importance, and the need to modernize networks to withstand increasingly sophisticated attacks is being backed up by billions in spending in a campaign that government officials say may last decades.
Smack in the middle of that fight – and fully in charge of the foundational work to improve supply chain security in the all-important tech sector – is Bob Kolasky, who has led the Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center (NRMC) since its inception in 2018.
We sat down with Kolasky for an extended talk about NRMC’s mission, the goals of its information and communications technology (ICT) task force, and lessons learned from the past several months of cyber assaults that government and industry can apply to protect vital tech supply chains. Our interview took place shortly before the Biden administration released its cybersecurity executive order, and allusions to the directive are more clear in hindsight.
MeriTalk: Bob, the NRMC is a familiar organization to many in the Federal IT community. Can you take us through a couple of its top aims and the progress the center has been making on those?
Kolasky: Sure, the NRMC operates within CISA as a planning, analysis, and collaboration center, looking at strategic risks to the nation from cyberattacks and other attacks, and trying to make progress to mitigate those.
Within that scope, we lead the agency’s efforts to work with the ICT community to secure supply chains and to manage risk associated with supply chains. We are focused on risk from technology that can impact national security and national economic security critical functions.
We also work on election security to support state and local election officials, and we work on other strategic priorities such as security for pipeline systems and other critical infrastructure.
MeriTalk: Let’s talk about the ICT Supply Chain Task Force that you help lead. We reported in February that the task force received a six-month extension to keep on with its work. How does the task force support broader supply chain resilience?
Kolasky: The task force is a public-private partnership under our critical infrastructure authorities that brings together 60 primary representatives, 20 of whom are from Federal agencies that are leading national supply chain efforts. Those agencies include the Department of Commerce, Director of National Intelligence, Department of Energy, and Department of Defense. Twenty members are from the IT community and the communications community representing private industry. Those include big IT companies – Dell, Microsoft, Cisco, Samsung, T-Mobile, Lumen, AT&T – plus associations that represent some of the smaller companies.
MeriTalk: What’s the outlook beyond the six-month extension?
Kolasky: We chartered the task force through July of this year, and we’re working on a longer-term charter. We did a six-month extension just to manage the change within the start of a new administration, but we fully expect that the task force is going to keep going well into 2022, because what we are doing is so critically important.
MeriTalk: What is at the core of what the task force is trying to do?
Kolasky: We’re advancing the capability of the ICT industry to manage the risks to supply chains. We’ve done some work on advancing the ability to share information about supply chain risks, and defining threats that are at the forefront of supply chain risk to help focus on risk management activities within the IT group.
We’re building on processes that are going to help people be better supply chain risk managers, to help organizations be better supply chain managers around acquisitions processes, and to identify qualified entities to put into your supply chain, with processes to demonstrate trust within supply chains. The task force is really about bringing government and industry together to help companies and government be better supply chain risk managers.
MeriTalk: How does the work of the task force align with efforts already underway from the White House, which is taking a year-long look into resiliency and security of the ICT supply chain?
Kolasky: As the foremost public-private partnership between the IT and communications industry and the government, the task force is a tool that can be used to help the president achieve some of his goals. You just asked about the America’s Supply Chain executive order – that is really about ensuring that our supply chains, to some extent, are controlled within the United States, and ensuring that we are building critical things within the United States, even if the components are not manufactured in the United States.
It’s also about ensuring that critical commodities are available to the supply chain. The executive order looks at things like critical minerals, batteries, and public health supplies, as well as ICT equipment. DHS has the lead on that with Commerce.
It’s a year-long effort to identify recommendations to improve ICT supply chains, so that we have assurance that supply chains are going to function with confidence. At our last task force meeting, representatives from the National Security Council laid out the vision associated with the executive order to help get the task force prepared to support the study that DHS and Commerce are doing. We are bringing in the task force to help us do that study, to help us formulate some of the recommendations, and to get advice from the task force as part of that process.
By next February we will have a set of recommendations on strengthening our ICT sector.
MeriTalk: It’s difficult to discuss supply chain security without talking about SolarWinds, but thinking back on it, what are the lessons that should be applied to similar situations within the ICT supply chain?
Kolasky: Very generally, elements of the supply chain were used to exploit regular updates of software code in order to put in bad code, and that opened up some vulnerabilities in networks that could potentially be exploited.
What are some of the lessons from a software supply chain security perspective? Let’s start with the big one: Know your software, know what your critical software elements are within your systems, and know where there’s interaction between software and critical systems. I think there were gaps in knowledge about the importance of SolarWinds to systems, and what kind of access that software has to systems.
Other lessons learned are: Make sure as part of development, maintenance, and deployment processes that you’re designing in a close to a zero trust architecture, and assume that critical software which has access to certain things could be exploited. Design your systems in a way that you have more monitoring, and you’re not putting much trust in the critical software.
MeriTalk: What about information sharing?
Kolasky: We want to do more information sharing across agencies. We also want to make sure there’s a process in place to set up contracts and acquisition so that if a cyber incident happened it’s getting reported and shared so that we can all learn from each other – government and industry.
MeriTalk: If we can look ahead by one year, what are a few goals for ICT supply chain security that might be realistic by then?
Kolasky: Among those goals is the progress we are making on the Federal Acquisition Security Council (FASC), which is really about supply chain security in the Federal government. The ICT task force is working closely with FASC members – a lot of the task force members are also FASC members. I think one achievable goal in the next year on the Federal side is building into the process greater information sharing among Federal agencies about supply chain risks.
DHS is the executive agent for information sharing for FASC, and we have exercised the process of using the FASC to exclude untrustworthy components from supply chains as we find reasons to do so. And in doing that, we have shared that information broadly with industry and state and local governments that may choose to make similar exclusions so we can push some of the bad stuff out of our ICT supply chain.
From a CISA perspective, we think the FASC has a lot of momentum and a year from now, we’re going to be talking about some FASC wins.
More broadly, I think there’s some potential to break down some barriers to information sharing. That’s something we’ve been looking at on the task force – to break down some legal barriers that are stopping information sharing between companies about supply chain risks. I’d like to see some real progress on information sharing in the next year.
MeriTalk: Is that kind of change something that needs to happen legislatively, or can it happen with the stroke of a pen? How hard would those changes be to get?
Kolasky: Some of those things are likely to come from the White House, that capture some of the lessons learned from SolarWinds that we’ve talked about today. There are things we can do with a stroke of the pen if the president sees fit. There are changes in how we do business as a Federal enterprise that the president, as the head of the executive branch, has the authority on and you will see some of that coming out of the executive order.
Some other things probably need legislative changes, including information sharing between industry and industry. That’s obviously something the president can’t fix because he doesn’t have authorities over industries.
We’ve been encouraged by committees on the Hill that are interested in ways to legislate to improve information sharing. I have testified about the need to do so, as have the other task force co-chairs, and committees have indicated some support for doing that.
MeriTalk: That’s great insight. Any final thoughts for us?
Kolasky: In conversations like this, I always like to emphasize that it’s important for security to be part of doing business, and to be a first-order consideration as companies do business with the government and do business with critical systems. It has to be built into business processes.
Security can’t be a conversation just among security professionals. It has to be a conversation with the CFO, the board of directors, the chief risk officer, the CEO, about how are we ensuring that the business we are in is secure from the get-go, and that our supply chains are secure.
MeriTalk: Thanks again, Bob. Lastly, where can people go to find out more about what the task force is doing?
Kolasky: More information is available at our CISA.gov website. One of the things we think is really important as a task force is producing a lot of things that can be used more broadly than just the people who are on the task force and can attend meetings. One of the things we are doing this year is targeting some of our work for small and medium-sized businesses, trying to get the word out about what we’ve already done it in a way that that’s approachable and can be used by supply chain risk managers and business owners to improve their processes.