It’s no secret that the public and private sector have experienced a bumpy cybersecurity partnership over the last two decades. As the threat of cyberattacks has grown along with the rapid rise of the internet as the backbone of the global economy, government efforts have often seemed to lag and frustrate the private sector. But just like the internet and information security have matured in profound ways, so have the capabilities of the federal government.
CISOs received a front-row view of the federal government’s progress and concrete actions toward becoming a better partner to the private sector at the most recent NTSC Northeast Regional CISO Policy Roundtable on February 21, 2018 (hosted by NTSC Board Member Josh Koplik, CISO of IAC/InterActiveCorp). During the roundtable, CISOs heard two presentations:
(l-r) NTSC Associate Director Kimberly Steele, Lieutenant General Kevin McLaughlin (Ret.) (McLaughlin Global Associates), Joshua Koplik (CISO, IAC/InterActiveCorp), DHS Deputy Assistant Secretary Rick Driggers, and NTSC Executive Director Patrick Gaul
During the discussions, CISOs noted they welcome the federal government’s help fending off asymmetrical attacks from adversaries such as nation states. Conversely, CISOs offered ideas on ways the private sector could help the federal government with their work—from lending threat analysis resources to addressing the cybersecurity talent shortage. The roundtable discussions highlighted many opportunities for more productive public-private sector information sharing, partnership, and collaboration.
Lieutenant General (ret.) Kevin McLaughlin began the roundtable discussion by giving an overview of national security cyber trends from his unique perspective and experience. As former Deputy Commander of USCYBERCOM, General McLaughlin gave a thorough overview of this cyber force’s capability, capacity, and operations. He pointed out that USCYBERCOM’s primary job is to direct 12,000 personnel and over $500 million to defend the entire Department of Defense’s cyberspace footprint. Its Cyber Mission Force has grown from zero to 133 teams in four years and the overall command is rapidly growing and maturing.
After explaining USCYBERCOM’s organization in detail, General McLaughlin talked about how it has articulated risks and created strategies, plans, and detailed recommendations to influence executive-level policymakers. Looking ahead at some trends, General McLaughlin noted that USCYBERCOM will likely become a peer of the NSA (rather than a subordinate) within five years, expand its defensive focus beyond networks to include critical infrastructure, and involve itself in more military offensive operations.
During the discussion, CISOs noted the asymmetrical nature of cyberattacks—both in quality and sophistication—from various threat actors such as nation states. Companies experience an incredibly high number of cyberattacks and CISOs wondered about USCYBERCOM’s awareness of this problem along with its ability to help private sector companies fend off those attacks. Attendees also explored ways of addressing issues with third party providers (especially cloud providers), concerns over cybersecurity jurisdiction, and how the private sector could work more productively with USCYBERCOM (including incorporating the participation of some private sector companies into the collection and analysis of threat data).
DHS Deputy Assistant Secretary Rick Driggers outlined the services DHS provides to the private sector including automated indicator sharing, incident response, and critical infrastructure vulnerability assessments. He also shared some insights about the latest processes and mechanisms of DHS’s CISCP and AIS information sharing programs.
Ideally, the DHS and the private sector should be participating in a bidirectional exchange of threat indicators. However, this exchange is currently mostly unidirectional—with only a small percentage of private sector companies signed up with DHS programs. Such minimal participation weakens the effectiveness of such a potentially powerful program.
Overall, there is a concerning lack of awareness about the services and support that DHS provides the private sector. For example, the DHS
CISOs had many questions for Driggers about incident response processes, delays obtaining security clearances, and the overall role of DHS. This fruitful dialogue highlighted the importance of such public-private sector interaction. Driggers reminded CISOs that DHS is not a regulatory authority, and so its goal is to work with—not regulate—the private sector. Driggers, CISOs, and other members of the NTSC showed an eagerness to share this information about DHS’s services with the private sector—as it seems there is a general lack of awareness about these services.
It’s the NTSC’s mission to unite both public and private sector stakeholders around policies that improve national cybersecurity standards and awareness through dialogue and education. This roundtable served as a perfect example of this mission in action. After the discussions ended, we noted a few key points:
The National Technology Security Coalition (NTSC) provides a platform for CISOs to advocate for beneficial legislative and regulatory cybersecurity policies. Interested in adding your voice to the national cybersecurity dialogue as a CISO, sponsor, or contributing expert? Check out our events calendar for upcoming roundtables, learn more about the NTSC, and contact us about ways you can contribute.