The Cybersecurity and Infrastructure Security Agency (CISA) has announced it will relaunch its Cybersecurity Insurance and Data Analysis Working Group (CIDAWG) to help combat ransomware, evaluate the effectiveness of security controls, and drive down cyber risk.
CISA Deputy Director Nitin Natarajan announced the re-envisioned working group on Nov. 17 at the Catastrophic Cyber Risk and a Potential Federal Insurance Response Conference hosted by the Department of the Treasury’s Federal Insurance Office and the New York University Stern School of Business’ Volatility and Risk Institute.
“For those familiar with the original CIDAWG created in 2014, this new iteration will look very different,” Natarajan said in a Nov. 20 blog post. “The working group was re-established to create a venue for collaboration and forward progress with industry on topics where we have shared interests – specifically, understanding what security controls are working most effectively to defend against cyber incidents.”
“This will help organizations to better understand where to invest resources and will allow the government to ensure our future investments are making the greatest impacts. To put it simply, we want to understand what ‘good’ looks like,” he added.
Natarajan said CISA will relaunch the working group in December to help address the current rise in ransomware attacks. The agency will partner with Stanford’s Empirical Security Research Group, a research lab in Stanford’s Computer Science Department, to correlate data with cybersecurity controls to understand which ones are most effective.
“CISA will ask working group members to collaborate with Stanford to improve analysis of the aggregated, anonymized loss data and link it with controls effectiveness,” Natarajan explained. “This analysis will be a resource both for insurers to inform their risk analysis and for CISA to better understand whether efforts like the Cyber Performance Goals (CPGs) and the Secure by Design initiative are translating to reduced cyber risk exposure for organizations that adopt them.”
The CIDAWG is part of a larger effort of CISA and the Federal government to combat ransomware. The deputy director said other initiatives – such as the Joint Ransomware Task Force (JRTF), the Ransomware Vulnerability Warning Pilot, and the Pre-Ransomware Notification Initiative – will all support the working group.
Additionally, CISA is continuing the ongoing rulemaking process for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). CIRCIA – which was signed into law in March 2022 – requires CISA to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payments to the government.
CISA Director Jen Easterly said that CISA is currently finishing up work on the Notice of Proposed Rulemaking for its cyber incident reporting rule, which she said “should be out later this year or early next year.”
“In short, achieving the goal of driving down cyber risk, as stated in the National Cybersecurity Strategy, requires coordinated action across the United States Government, the private sector, and American society,” Natarajan said.
“Everybody has a role to play in cybersecurity…and we need everybody to play their role,” he concluded. “I look forward to relaunching CIDAWG and working with our partners in the coming months to help collectively drive down cyber risk, improve the threat landscape, and prevent future cyberattacks.”