NTSC Blog

CISOs Discuss Public-Private Sector Information Sharing, Partnerships, and Collaboration

CISOs Discuss Public-Private Sector Information Sharing, Partnerships, and Collaboration

It’s no secret that the public and private sector have experienced a bumpy cybersecurity partnership over the last two decades. As the threat of cyberattacks has grown along with the rapid rise of the internet as the backbone of the global economy, government efforts have often seemed to lag and frustrate the private sector. But just like the internet and information security have matured in profound ways, so have the capabilities of the federal government.

CISOs received a front-row view of the federal government’s progress and concrete actions toward becoming a better partner to the private sector at the most recent NTSC Northeast Regional CISO Policy Roundtable on February 21, 2018 (hosted by NTSC Board Member Josh Koplik, CISO of IAC/InterActiveCorp). During the roundtable, CISOs heard two presentations:

  • “Cyber Trends in National Security” presented by General Kevin McLaughlin (Ret.), McLaughlin Global Associates
  • “Cyber Threat Intelligence Sharing—Uncovering the Facts” presented by DHS Deputy Assistant Secretary Rick Driggers

(l-r) NTSC Associate Director Kimberly Steele, Lieutenant General Kevin McLaughlin (Ret.) (McLaughlin Global Associates), Joshua Koplik (CISO, IAC/InterActiveCorp), DHS Deputy Assistant Secretary Rick Driggers, and NTSC Executive Director Patrick Gaul

During the discussions, CISOs noted they welcome the federal government’s help fending off asymmetrical attacks from adversaries such as nation states. Conversely, CISOs offered ideas on ways the private sector could help the federal government with their work—from lending threat analysis resources to addressing the cybersecurity talent shortage. The roundtable discussions highlighted many opportunities for more productive public-private sector information sharing, partnership, and collaboration.

National Security Cyber Trends

Lieutenant General (ret.) Kevin McLaughlin began the roundtable discussion by giving an overview of national security cyber trends from his unique perspective and experience. As former Deputy Commander of USCYBERCOM, General McLaughlin gave a thorough overview of this cyber force’s capability, capacity, and operations. He pointed out that USCYBERCOM’s primary job is to direct 12,000 personnel and over $500 million to defend the entire Department of Defense’s cyberspace footprint. Its Cyber Mission Force has grown from zero to 133 teams in four years and the overall command is rapidly growing and maturing.

After explaining USCYBERCOM’s organization in detail, General McLaughlin talked about how it has articulated risks and created strategies, plans, and detailed recommendations to influence executive-level policymakers. Looking ahead at some trends, General McLaughlin noted that USCYBERCOM will likely become a peer of the NSA (rather than a subordinate) within five years, expand its defensive focus beyond networks to include critical infrastructure, and involve itself in more military offensive operations.

During the discussion, CISOs noted the asymmetrical nature of cyberattacks—both in quality and sophistication—from various threat actors such as nation states. Companies experience an incredibly high number of cyberattacks and CISOs wondered about USCYBERCOM’s awareness of this problem along with its ability to help private sector companies fend off those attacks. Attendees also explored ways of addressing issues with third party providers (especially cloud providers), concerns over cybersecurity jurisdiction, and how the private sector could work more productively with USCYBERCOM (including incorporating the participation of some private sector companies into the collection and analysis of threat data).

Cyber Threat Intelligence Sharing and DHS Services to the Private Sector

DHS Deputy Assistant Secretary Rick Driggers outlined the services DHS provides to the private sector including automated indicator sharing, incident response, and critical infrastructure vulnerability assessments. He also shared some insights about the latest processes and mechanisms of DHS’s CISCP and AIS information sharing programs.

Ideally, the DHS and the private sector should be participating in a bidirectional exchange of threat indicators. However, this exchange is currently mostly unidirectional—with only a small percentage of private sector companies signed up with DHS programs. Such minimal participation weakens the effectiveness of such a potentially powerful program.

Overall, there is a concerning lack of awareness about the services and support that DHS provides the private sector. For example, the DHS

  • Provides 24/7 cyber situational awareness including sending regular information to companies about current threat activity, alerts, and bulletins
  • Can send out incident response teams to an organization within 24 hours
  • Conducts cyberthreat vulnerability analyses for private companies
  • Provides specialized services for critical infrastructure companies
  • Coordinates public-private information sharing that includes indicator bulletins, analysis reports, priority alerts, and recommended practices
  • Provides monthly and quarterly analyst briefings, exchanges, and events
  • Offers liability protection for companies that share information with DHS

CISOs had many questions for Driggers about incident response processes, delays obtaining security clearances, and the overall role of DHS. This fruitful dialogue highlighted the importance of such public-private sector interaction. Driggers reminded CISOs that DHS is not a regulatory authority, and so its goal is to work with—not regulate—the private sector. Driggers, CISOs, and other members of the NTSC showed an eagerness to share this information about DHS’s services with the private sector—as it seems there is a general lack of awareness about these services.

Conclusions

It’s the NTSC’s mission to unite both public and private sector stakeholders around policies that improve national cybersecurity standards and awareness through dialogue and education. This roundtable served as a perfect example of this mission in action. After the discussions ended, we noted a few key points:

  • Dialogue between the public and private sector dispels many myths and misperceptions. More awareness about USCYBERCOM and DHS—including dialogue with leaders who serve (or have served) those organizations—helps CISOs better understand current efforts and capabilities.
  • DHS provides many important services that need more awareness. We will help with these efforts by producing a whitepaper that outlines these services in more detail. After Driggers’ presentation, CISOs had many questions about particular services and left more aware about how to work with the DHS.
  • The federal government’s cybersecurity posture is improving slowly and steadily. CISOs burned by experiences many years ago may not have an accurate view of the federal government’s cybersecurity capabilities now. Organizations like the DHS and USCYBERCOM have improved by leaps and bounds over the last few years, and they are readier than ever to productively engage with the private sector.

The National Technology Security Coalition (NTSC) provides a platform for CISOs to advocate for beneficial legislative and regulatory cybersecurity policies. Interested in adding your voice to the national cybersecurity dialogue as a CISO, sponsor, or contributing expert? Check out our events calendar for upcoming roundtables, learn more about the NTSC, and contact us about ways you can contribute.