Why a Government Voice Matters in Cybersecurity

Posted on April 02, 2025 by Michael Daniel

Many hands make light work. If you want to go far, go together. A single arrow is easily broken, but not ten in a bundle. Asking an AI assistant for proverbs about teamwork and collaboration will generate hundreds of examples from all over the world. Collaboration among people and organizations is critical to many societal functions.

This year’s RSAC ™ 2025 Conference theme of Many Voices, One Community encapsulates this concept for cybersecurity. We need many different voices across the cybersecurity community. Without diversity of thought, skills, background, and perspectives, we cannot and will not succeed in making our digital ecosystem safe. Included within “Many Voices” are governments and their respective cybersecurity activities. The cybersecurity community needs strong participation from governments around the world if we want to take on cybercrime and reduce the impact of malicious cyber activity on our societies. Without the government “voice” in the community, our actions will fall short.

Governments carry out several key functions within the community that the private and non-profit sectors cannot. These functions include addressing public risk, upholding non-market values, and imposing costs on adversaries. A quick look at each of these areas shows why.

Due to the nature of interconnected IT networks, an organization’s cybersecurity risk has both public and private aspects. The private risk element falls on a specific organization, while the public part is shared among all elements of society to varying degrees. Private action should be sufficient to address private risk. The problem stems from the public portion of networked risk. No individual or organization has the incentive to address this portion of the cyberthreat. Left unattended, this risk can build up to unsustainable levels, and it can have catastrophic results. This situation is quite common across many different policy areas, from public health to land-use to border security. Only governments have the incentive and tools needed to manage the public risk inherent in a connected world.

For example, a regional bank might calculate the expected cost of a cyber incident based on the impact to its operations and direct losses. It would then invest in cybersecurity measures up to the level needed to reduce the likelihood of such an incident to an acceptable level. However, a malicious actor might use the bank’s IT systems as the jumping off point for other operations targeting other banks. The resulting losses do not directly affect the first bank; therefore, the bank has no incentive to adjust its cybersecurity spending to address this public risk. Only a government can create incentive mechanisms to “price” cybersecurity correctly, so that the networked effects of cyber incidents are considered.

Not everything that societies value is amenable to a money-denominated transaction. For example, humans intrinsically value fairness or equity and we get angry when those principles are violated. We want to protect children and the elderly from harm. It’s not that the private sector cannot support these values or try to operate according to them, but governments are responsible for upholding these values and calling individuals to account when they do not live up to them. In cybersecurity terms, governments can focus on thwarting romance scams or removing abusive material from the Internet in a way that private sector companies have no incentive to do. They can take these actions at a scale the non-profit sector cannot match.

In the US, a clear example of this function is the Federal Trade Commission. The FTC runs a sharing platform called Consumer Sentinel. This platform enables consumers to report all sorts of financial-related crimes, ranging from identity theft to online fraud. The FTC provides this service for free to US law enforcement agencies and some international agencies. Only the government would have the incentive and organizational reach to set up such a sharing activity and not have to charge users.

Defensive action alone will not result in the kind of digital environment we want. We also have to impose costs on the malicious actors, whether those costs come in the form of financial sanctions, destroyed computers, or arrests. However, imposing costs on adversaries is an inherently governmental function. While the private sector can create friction for adversaries, thereby imposing a type of cost, if we really want to reduce illicit profits, arrest cybercriminals, and disrupt malicious activities at scale over a sustained period of time, government action is required. Even if we support the idea of issuing “letters of marque” to private sector companies, it’s still the government approving those letters. The only entities able to impose sufficiently high costs on cybercriminals are governments.

Consider ransomware gang disruptions. While we can debate the long-term efficacy of certain approaches, nevertheless operations targeting Alphv/BlackCat, Lockbit, 911 S5 Botnet, Black Axe, DigtallStress, Ghost, Redline, the Com, and the Matrix in 2024 resulted in disrupted infrastructure, seized assets, and arrests. These operations imposed costs on the criminal ecosystem and all were law enforcement led. The government worked with the private sector in almost every case, but it was government agencies leading the operations.

Of course, sometimes government voices can be too loud, or too commanding, or too slow, and some government actions decrease overall cybersecurity. However, just like the cybersecurity community needs people with different skills, cognitive patterns, or ethnic backgrounds, the cybersecurity community needs governments as partners and collaborators. Achieving that goal is difficult when government agencies lack the resources to participate fully in the cybersecurity community. Unfortunately, too many governments fall into that category. Even those that have traditionally had strong capabilities face threats of reduced staffing, fewer dollars, and less expertise. This state of affairs will only benefit the criminals.

Incorporating many voices is hard work and it can be frustrating. Ever had to listen to a choir rehearse, especially the first read-through of a piece of music? It can be downright painful. Yet, that’s what makes it all the more amazing when the choir comes together to sing a piece beautifully.

The same is true in cybersecurity. Getting all the different voices to sing together is a monumentally difficult task, but if one of the voices isn’t there at all, the “choir” won’t be nearly as good. It’s easy to extol the virtues of private sector innovation and agility or the selfless missions of cyber non-profits. On the other hand, it’s easy to bash governments and cynically assess their activities. Working with governments can be challenging. Yet, just like eliminating an entire section weakens a choir, weakening government capabilities will undermine our collective cybersecurity elements; conversely strengthening government capabilities can make the cybersecurity choir even more powerful against those seeking to do us harm.

The concept of “Many Voices, One Community” reflects the community’s superpower. Let’s make sure that all the voices are strong and included.

Contributors

Michael Daniel

President and Chief Executive Officer, Cyber Threat Alliance

Policy & Government

government regulations innovation law standards & frameworks policy management compliance management governance risk & compliance

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC™ Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.