The change in the cyber risk environment coinciding with a heightened need for procurement of new technologies and services has created a new paradigm for a cybersecurity partnership between government and industry. The prioritization of that special partnership appears to be in the immediate plans for the new Trump Administration.
The appointment of former NYC Mayor Rudy Giuliani as a cybersecurity adviser signals the elevated importance of that intended government/industry partnership. One of his first tasks will be to assemble cybersecurity subject matter experts and leaders from industry to advise and spur innovation in and out of government. Mayor Giuliani has made it clear that the proposed group will work on cutting-edge cybersecurity solutions across industries such as the energy, financial, and transportation sectors.
Collaboration between government and industry stakeholders is a proven model that makes good sense. Together, government and the private sector can identify products and align flexible product paths, evaluate technology gaps, and help design scalable architectures that will lead to greater efficiency and fiscal accountability. Bridging R&D spending between the government and private sectors should also allow for a more directed and capable cybersecurity prototype pipeline to meet new technology requirements.
In addition to being collaborative, a working partnership of government and industry leaders should be focused and strategic in nature. To be effective the evolving cybersecurity partnership must also be 1) proactive and adaptive to change; 2) coordinated with The Department of Homeland Security (DHS); and 3) have a cyber risk management/consequence strategy.
Being Proactive and Adaptive to Change: There are many challenges of functioning in an exponentially changing digital world. This requires restructuring of priorities and missions for both government and industry. That is not an easy task and there is logic in joining forces.
As the capabilities and connectivity of cyber devices have grown, so have the cyber intrusions and threats from malware and hackers. The growing and sophisticated cyber threat actors include various criminal enterprises, loosely affiliated hackers, and adversarial nation states. A first mission for the new Administration’s cyber team will be to review recommendations prepared by cybersecurity experts from within and out of government and to assess gaps and vulnerabilities across the threat landscape.
In the past decade, the cybersecurity focus and activities by both government and industry have been predominantly reactive to whatever is the latest threat or breach. As a result, containing the threats was difficult because at the outset, defenders were always at least one step behind. That mindset has been changing due to a major series of intrusions and denial of service attacks (including OPM, Anthem, Yahoo, and many others) that exposed a flawed approach to defending data and operating with a passive preparedness.
Being proactive is not just procuring technologies and people it also means adopting a working industry and government framework that includes tactical measures, encryption, authentication, biometrics, analytics, and continuous diagnostics and mitigation, as applicable to specific circumstances.
The new advisory council led by Mayor Giuliani will become more proactive and adaptive in protecting assets and will also likely address policy and technology development implications around a whole host of other topics related to cyber threats. Some of these topics will include information sharing, securing the Internet of Things (IoT), protection of critical infrastructures, and expanding workforce training to mitigate the shortage of cybersecurity.
The Department of Homeland Security’s (DHS) Coordination: The government/industry partnership will have to work closely with the Department of Homeland Security. DHS has taken on a formal and increasingly larger role as the lead civilian agency in government working with industry, and state & local stakeholder on cybersecurity. The 2017 DHS budget has appropriated more than $1.2 billion toward cybersecurity, demonstrating the importance of the agency’s role in protecting the homeland in the cyber space.
In recent years, DHS and the National Institute of Standards (NIST), has made a growing effort to bring the private sector together with government, especially to develop information sharing protocols. The Obama Administration issued Presidential Policy Directive-21 (PPD-21) that outlined an approach to developing standards and enhancing information sharing with critical infrastructure owners and operators.
The Executive Order was aimed at identifying vulnerabilities, ensuring security, and integrating resilience in the public/private cyber ecosystem. The underlying goal was to help protect against targeted cyber intrusions of the nation’s critical infrastructure, such as financial systems, chemical plants, water and electric utilities, hospitals, communication networks, commercial and critical manufacturing, pipelines, shipping, dams, bridges, highways and buildings.
Congress has supported DHS’s expanded role and it is still taking shape. A bi-partisan bill approved by the House Homeland Security Committee proposes a new DHS cyber defense agency that would be called the Cybersecurity and Infrastructure Protection Agency. The prospective agency would replace the National Protection and Programs Directoratee (NPPD) and put a stronger focus on DHS’s integral role in cyber preparedness, response and resilience. It would also reorganize the agency into an operational role.
New Homeland Security Secretary John Kelly, Homeland Security Advisor Tom Bossert, and Rudy Giuliani, with the added input of the new industry advisory group, will build upon the Presidential Directive and Congressional mandates to expand and refine the operational aspects of DHS’s special role in cybersecurity.
Cyber Consequence/Risk Management Strategy: In a core sense, a successful cyber threat consequences strategy is really about risk mitigation and incident response. A risk management strategy requires stepping up assessing situational awareness, information sharing, and especially resilience planning. It is critical to be aware of the morphing threat landscape and plan contingencies for all potential scenarios. The cyber threat reaches far beyond terrorists, and includes various criminal enterprises, and adversarial nation states.
Information sharing to risk management will help allow both government and industry to keep abreast of the latest viruses, malware, phishing threats, ransomware, insider threats, and especially denial of service attacks. Information sharing also establishes working protocols for lessons-learned and resilience that is critical for the success of commerce and the enforcement against cyber-crimes.
Cyber resilience after an intrusion is an area that must be further developed in response protocols, training of information security personnel, and deployment of redundant and automated technologies. Remediation is important to continuity – no matter what, breaches will happen. The incorporation of best practices and the lessons learned from the various and many corporate breaches over the past few years is certainly valuable data for both industry and government in terms of prevention, recovery, and continuity.
Of course, there are many other important elements integral to successful cybersecurity government/industry partnership. Cybersecurity encompasses a multi-dimensional topic area that touches anything and everything connected in both the public and private sectors.
The cybersecurity world will watch closely what evolves from the Trump cybersecurity team leadership role in assembling contributions from the best and brightest across industry. A stronger and streamlined government/industry partnership may be the Administration’s first defining initiative in addressing the cybersecurity challenges of the day.
Also available on Alien Vault