Our sister organization, The Cyber Policy Institute, just published its first, but hopefully not last report on federal legislation that deals with cybersecurity. The report, Cybersecurity Bills in the 117th Congress, summarizes the 80 bills submitted or passed by the 117th Congress between January 2021 and January 2022. The bills, several of which were included in the National Defense Authorization Act for Fiscal Year 2022 (NDAA), which was signed into law by President Biden on December 27, 2021, cover a wide range of topics from defense and foreign relations to business, workforce and disaster preparedness.

In terms of breadth and depth, it’s impressive to see how much effort the various members of Congress and committees have put into cybersecurity. There’s a tendency to assume that Congress isn’t doing enough about the country’s cyber vulnerability, but the scope of the legislative agenda says otherwise.

Indeed, the report is already missing one major recent bill, which was passed after the report went to press. the Strengthening American Cybersecurity Act, already dubbed “SACA” by the cyber industrial complex, was spearheaded by leaders of the Homeland Security and Governmental Affairs Committee. The bill was sponsored by Sen. Gary Peters (D-Mich), the committee chairman, and its ranking member, Sen. Rob Portman (R-Ohio). SACA proposed more aggressive incident reporting and proposed to modernize the Federal Information Security Management Act (FISMA).

Of the 80 bills covered in the report, five have been signed into law, 10 have passed one or both houses of Congress, and 32 are still in committees. The bills cover national security and defense, protecting intellectual property, protecting American business, defending critical American infrastructure, developing cybersecurity skills in people both inside and outside the government, protecting children’s welfare and protecting Americans’ privacy.

Prepared by Dr. K.S. Little, a Research Fellow at the Cyber Policy Institute, the report breaks down the massive amount of information in the proposed and passed legislation and explains the relevance and impact of the legislation on each sector.

Industry leaders have been receptive to the report. For example, Tyler Young, Director of Security at Relativity, said, “This report does an excellent job of summarizing the 80 bills that have been submitted or passed by the 117th Congress during the first year of its session and really illuminates the breadth of cybersecurity’s impact across different government departments and committees.”

Marcus Fowler, SVP Strategic Engagements and Threats at Darktrace, remarked, “Given the growing global cyber aggression between and from nation-state and non-nation state actors, policymakers need to accelerate the cyber laws outlined, given the sense of urgency commensurate with the threat, especially with Russia’s actions in Ukraine. These events will spill over, at least in cyber, to the targeting of Western economic stability and will extend beyond any eventual stalemate in the on-the-ground conflict. The priorities should be increasing cyber resourcing of federal, state, tribal, and local institutions, expanding the cyber workforce, and formalizing public-private partnership and reporting procedures.”

Chris Olson, CEO of The Media Trust, shared. “Many of the bills before Congress in 2022 address important cybersecurity issues currently facing consumers, businesses and government organizations at an unprecedented scale. Among these are H.R. 4551 which aims to provide better intelligence on state-sponsored cybersecurity attacks, H.R. 474 which makes strides towards national data privacy legislation, and H.R. 807 which creates new protections for exploited children.”

Olsen added, “Unfortunately, key factors driving cybersecurity risk in the U.S are underrepresented or entirely absent from the bills currently before Congress – particularly digital supply chain vulnerabilities that impact websites and mobile applications. Today, the Web is a borderless entity which lacks protections against the activity of advanced persistent threat (APT) groups and state-sponsored threat actors. This oversight leaves Americans wide open to manipulation and compromise.”

Olsen makes a valid point, one that underscores the difficulty in trying to legislate the country out of its cyber vulnerability. Some issues are structural, such as the “borderless” nature of the Web. Unless laws can deal with that weakness, a great deal of risk exposure remains. In addition, legislation is subject to execution, and as we have seen, this can fall apart despite the best of intentions.

To download the report, visit https://cyberpolicyinstitute.org/wp-content/uploads/2022/03/CybersecurityBills-117Congress-final.pdf

Consider the following common scenario, which is unfolding in executive suites and corporate boardrooms across the world: A Chief Information Security Officer (CISO) presents the Chief Financial Officer (CFO) with a proposal to invest $10 million in upgrading the company’s cyber defenses. A figure that high will mean taking the proposal to the CEO, and then the board of directors for approval. “Do we really need this?” the CFO asks. “Yes,” the CISO replies. “It’s a ‘must-have.’”

What should the CFO do? Should she/he take the CISO’s word for it? That’s not always a good look in the boardroom. “We need it because the CISO said so” is not a compelling argument, even if the CISO is a credible person. Corporations need data to justify cyber defense investments. In particular, they need data about the financial impact of their cyber risk exposure. If the CFO can present a coherent argument in favor of the investment, she will have a better chance of gaining board approval—and the company will become better protected against cyber risk.

“We need it because the CISO said so” is not a compelling argument, even if the CISO is a credible person.

This process, which seems simple, has emerged as a surprisingly challenging arena for corporate decision-making. C-level executives and boards grasp the concept of risk quantification quite well, in general. They deal with debt risk, market risk, compliance risk, weather risks and all manner of threats to the company’s bottom line. For cyber, it’s turning out to be a lot harder to figure out the costs of failing at risk mitigation.

There are a variety of reasons for this. One issue is communication. The language of IT and cybersecurity is not native to the boardroom. This is partly a generational problem, but it’s also because cybersecurity presents itself as an arcane, almost mystical sphere of activity. Scare tactics and vague notions of catastrophe tend to predominate: sign this check or we face a multi-billion dollar loss at the hands of teens wearing hoodies and the Russian military. Why? I could tell you, but you wouldn’t understand.

To some extent, it’s an emotion-driven decision. Executives are afraid of cyber threats, often with good reason, but fear leads to exaggerated reactions. This is not a good way to run a business. Risks come with costs, and if businesses can get a good sense of what those costs are, they can make intelligent, informed decisions about how much security they need to buy.

This brings up the second major challenge to quantifying cyber risk. It’s just not that easy to do. One approach is to engage with a big consulting firm that will conduct audits and analyze a company’s risk. They present a report that captures the financial impact of cyber risks and then move on. Two difficulties arise with this approach. One is that the analysis is typically static, reflecting risks for a fixed period of time. Cyber risks continually evolve, however, so the analysis will soon become obsolete. And, these firms also often neglect subsidiaries and third-party partners in their assessments.

“Decisions about cyber security should be informed by facts and not guesses…”

I spoke about this challenge with Tom Boltman, VP of Strategic Initiatives at Kovrr, a company that offers technology for financially quantifying cyber risk on demand. According to Boltman, putting a financial price tag on cyber risks involves taking a dynamic, continuous approach. And, it should be data-driven at all times. “Decisions about cyber security should be informed by facts and not guesses,” he said. “What we do is incorporate  multiple sources of data including insurance cyber claims data… to give companies a more grounded view of what a potential loss could be.”

Kovrr’s methodology is complex, but it rests on two core dimensions of cyber risk: frequency and severity. A certain form of cyber incident may be frequent, but not severe. For example, a company might suffer a dozen successful phishing attacks a week. However, if they are quickly remediated, and adequate protections are in place, their financial impact will be quite low. In contrast, if a company’s cloud provider goes down, or becomes a conduit for an attack, that may be a rare but very costly episode.

From there, Kovrr adds factors like the nature of the business and the cyber loss characteristics of its industry peers. They apply multiple cyber  risk models to determine the costs of their potential losses from targeted and systemic cyber events that could result from a cyber attack or the failure of the third-party service provider that they rely on. The process takes into account subsidiaries and third-party relationships. They also evaluate the company’s technology stack, looking at its cyber loss history across multiple industries.

The Kovrr type of risk quantification process yields data that decision-makers can use to evaluate the financial impact of a cyber event. This in turn enables them to better understand the ROI of the cyber investments they are making as well as more strategic risk transfer and insurance placements.  Should they spend $10 million? If their potential loss is $1 million, then the answer is probably “no.” If a data-driven risk quantification pegs their risk at $100 million, then that $10 million investment starts to look like a really smart move.

Photo by Tima Miroshnichenko from Pexels

In this Thought Leaders video from Cyber Policy Institute, our sister organization, Mathieu Gorge, CEO of VigiTrust, discusses the impact of China’s New Personal Information Protection Law (PIPL) on companies doing business in China.

I’m old enough to remember when elevators told you what floor they were on using a needle that looked like something from a grocer’s scale. Admittedly, that was a building built in the 1920s, but the truth is it really wasn’t that long ago that building management was entirely analog. Not anymore. Today’s buildings invariably feature a sophisticated Building Management System (BMS) that monitors and controls core building functions like HVAC, fire alarms, lighting, power and more.

A BMS falls into the operational technology (OT) category. Like most OT systems today, BMS’s are now connected with IT networks, which creates risk exposure. “OT and IT have converged in the BMS space,” explained Megan Samford, VP, Chief Product Security Officer for Energy Management at Schneider Electric, which produces BMS’s. “There are no air gaps, realistically. An OT system can be an attack surface that threatens any connected IT system. Your HVAC becomes a hacker’s way into your email server, and so forth. These are the kinds of risks that our industry is working to mitigate.”

Reducing risk exposure means securing the BMS. This is partly a matter of process and controls. For example, one best practice is to adopt a secure reference architecture for a building that involves effective network segmentation, event monitoring and intrusion detection. Security teams representing both the IT and OT sides of a facility also need to come together to coordinate their work and systems. However, at a foundational level, the BMS itself must be developed using secure principles.

For Schneider Electric and its peer firms in the BMS industry, creating a secure BMS means adhering to the International Electrotechnical Commission (IEC) 62443 standard, which was developed to address the unique security issues affecting industrial automation and control systems (IACS) and OT. IEC 62443 takes on the complex challenges inherent in securing OT systems, some of which are legacy and not easy to defend, while also protecting IT systems that are connected to OT.

According to Samford, the best practice is to employ IEC 62443 in a “defense in depth” approach. She said, “It’s about a layered approach to defense within an OT network. It starts with the people and process, but also encompasses individual products and components that make up the system.”

Megan Samford, VP, Chief Product Security Officer for Energy Management at Schneider Electric

In particular, Samford called attention to section 3-2 of the standard, which relates to “Security Risk Assessment, System Partitioning, and Security Levels.” A BMS should have countermeasures based on relevant threats, risk exposure, inherent vulnerabilities, the likelihood of an event and the consequences of compromise—adapting the system to its own risk tolerance for risk. This principle applies both to the design of the BMS as well as its implementation at a given facility.

Then, with IEC 62443-3-3, which covers “System Security Requirements and Security Levels,” the OT team needs to define security assurance levels and cybersecurity functions embedded in whatever products are used the BMS environment. By working through these, and other IEC 62443 parameters, a BMS can achieve certification at a specific level of defense capability. Level 1 means the BMS can withstand an attack from a casual or inexperienced attacker. Level 2 refers to more experienced malicious actors. Levels 3 and 4 are more sophisticated, with level 4 representing nation state actors. As Samford noted, few if any BMS’s in deployment are yet at level 4, but that is coming.

“One point of defense we’re seeing more consistently now is zero trust,” Samford then remarked. “We are starting to assume that attackers are already in the system. We need to defend from the inside, and ZT offers a great countermeasure to that threat.”

What will it take to succeed in deploying, and then sustaining secure BMS’s? For Samford, the first step is to acquire the right technology. “You need a system that’s built for IEC 62443 certification and defense in depth.” However, as she added, “That’s just the start. It’s critical to identify who owns all the various systems and who is responsible for keeping policies up to date and enforcing them. HR might need to get involved, with recruiting people who know how to handle these responsibilities and engaging in cybersecurity training for building management personnel. Security has not been o ne of their areas of responsibility until recently, but now it’s critical.”