CISA Has Improved Software Risk Management Following SolarWinds Hack, Official Says

The Cybersecurity and Infrastructure Security Agency has learned how to better manage critical software following its review of the Solarwinds Orion hack, an official said.

Bob Kolasky, CISA’s assistant director for the National Risk Management Center and a speaker at a past Potomac Officers Club event, said the government has developed tools that can address the risks software poses to national critical functions, FedScoop reported Wednesday.

“We call this supply chain security; we call it supply chain risk management — about understanding the hardware and software that you rely on to do business and do critical processes,” Kolasky said.

The SolarWinds hack compromised the networks of at least nine federal government agencies and about a hundred American companies.

According to Kolasky, CISA has been working with SolarWinds to improve development transparency and push out releases to remedy the risks.

The NRMC serves as CISA’s center for collaborative risk management. The center works with the critical infrastructure community to mitigate risks in sectors such as communications, energy, transportation and water.

Kolasky said the NRCM wants the government to work more closely with industry to create an ecosystem where a single software breach will not affect other systems.

He claimed that the United States’ adversaries share information more effectively compared to the nation’s private and public sectors.

Eric Noonan, CEO of CyberSheath and a POC member, previously wrote a column highlighting the advantages of requiring technology companies to disclose data breaches in exchange for limited legal liability. He said the data breach reporting only saw serious consideration in the wake of the SolarWind attacks.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Speaker News

Join Us Now