Government and Private Sector Cybersecurity Collaboration Finally Showing Signs of Life


Posted on by Robert Ackerman

For years, collaboration in cybersecurity with the government and among businesses was minimal or tentatively got off the ground but ultimately failed. Companies often resisted sharing information about hacking threats out of fear they would face legal consequences, and the government was slowed by bureaucracy and fear of exposing classified information.

At long last, fortunately, this is changing on several fronts, and over time, may dramatically improve the nation’s cybersecurity.

Commitments from government or technology companies or both have been made for sharing information in the analysis of threat intelligence and for working toward new industry standards to provide stronger security tools and enhance worker skills training to help fill nearly 500,000 unfilled US cybersecurity jobs. Google and Microsoft alone recently said they would invest $30 billion in cybersecurity over the next five years.

The groundwork for serious cooperation may have been set last December, when the hack of network management company SolarWinds was divulged, enabling bad actors to compromise a range of US government agencies and major corporations. It became apparent that business and government expose each other to significant risks because they are interconnected and rely on the same network of software vendors.

In addition, the cyber community is finally conceding that US technology infrastructure, including data centers and industrial control equipment, is mostly owned and operated by private companies. This is a drawback in many ways. Absent help from other entities, they are solely responsible for security while attacks are constantly evolving. Successful ransomware attacks against the Colonial Pipeline and JBS Foods earlier this year, which undermined the availability of gasoline and food, respectively, in large swaths of the country, underscored the vulnerability.

It’s not that government and technology companies have until now done nothing on the collaboration front.

Probably the most prominent step was the Cybersecurity Information Sharing Act of 2015, the first major piece of Congressional cybersecurity legislation. It called upon businesses, government agencies, and other organizations to share information about cybersecurity threats in the belief that it would help players better identify and defend against cyberattacks. But participation was voluntary and limited, and the legislation turned out to be a bust.

This lesson learned, here are three key examples of recent progress in cooperation on the cybersecurity front:

+ The White House in August hosted a cybersecurity summit with CEOs in multiple industries and made concrete promises to President Biden to take action. Business leaders committed billions of dollars to beef up cybersecurity in multiple ways. Microsoft, for example, pledged a $20 billion investment in cybersecurity advancements over the next five years, including $150 million immediately to expand Microsoft’s security training network and help US government agencies upgrade their digital security systems. Google said it would invest more than $10 billion over five years to strengthen cybersecurity and also pledged to train 100,000 Americans in technical fields such as IT support and data analytics.

IBM, meanwhile, said it would train more than 150,000 people in cybersecurity skills in three years and also announced a new data storage solution for critical infrastructure companies.

+ Chris Inglis, the Biden administration’s cyber czar, announced in October a new effort to protect both the public and private sectors. Inglis has begun laying the groundwork for more regulations in key industry sectors, such as energy and transportation, if they don’t raise protection on their own. He also wants to move much of the government to a Zero Trust model, which means assuming that all computer network activity is malicious until users prove otherwise. The hope is that heightened government cybersecurity standards and requirements will become a model that pushes the private sector in the same direction.

+ Realizing that it must improve at stopping cyberattacks before they occur, the National Security Agency’s Cybersecurity Collaboration Center announced this month that more than 100 companies had joined an NSA effort to collaborate with industry on big cybersecurity problems. This is a huge about-face for the NSA, which for decades avoided such public efforts. For starters, the NSA is working with cloud computing companies and others to speed the translation of intelligence about cyberthreats into unclassified forms that can be shared with industry officials who lack government clearances.

While the start of serious cybersecurity collaboration has been sparked by relentless nation-state attacks, other factors are also catalysts. One is the chilling developments in steps to use artificial intelligence to weaponize large stolen datasets about individuals and spread targeted disinformation via text messages and other means.

Another disturbing trend is the growing privatization of cybersecurity attacks through a new generation of private companies that are effectively 21st-century mercenaries.

They are known as private sector offensive actors (PSOAs) and represent a growing option for nation-states to buy the tools needed for sophisticated cyberattacks rather than build them from scratch. This is appealing to governments with money but not skilled people to create their own weapons. One company in this sector is Israel-based NSO Group, which has created and sold to governments its Pegasus app—spyware that can stealthily enter a smartphone and gain access to everything in it. NSO is currently involved in US litigation.

Collaboration in the cybersecurity world can better fight this challenge, as well as many others. Let’s hope it continues to grow.

Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber Capital, & Co-Founder, cyber startup foundry DataTribe

Policy & Government Analytics Intelligence & Response

critical infrastructure cyber warfare & cyber weapons persistence policy management threat intelligence zero trust trusted computing

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs