The Wall Street Journal reporting this week that the Russians successfully infiltrated US electric grid providers raises new concerns about just how safe our critical infrastructure is from cyberattack. It has also predictably sparked some movement within the government to advocate more openness about the cyber threat landscape and to collaborate with the private sector. For example, last week, Deputy U.S. Attorney General Rod Rosenstein said the Justice Department would be more open about known threats and warned of active foreign influence operations. Similarly, Chris Krebs, recently confirmed as Under Secretary for the Department of Homeland Security’s National Protection and Programs Directorate (NPPD), said on stage last week, “It’s not just about government working together — it’s about industry and government working together.” He continued, “We have to have integrated, cross-sector, government-industry collaboration in the cybersecurity space, in the critical-infrastructure protection space. And that’s where we’re going.”
The Advanced Cyber Security Center (ACSC) was founded on the premise that stronger collaborative defense is necessary to build coalitions around solving common security problems. Executive Director Michael Figueroa explains, “Like the Internet itself, cybersecurity is a borderless domain. While some specific threats may be more sector or target specific, the underlying root cause problems are common to all of us, and cannot be solved by any one organization working in isolation.” With that in mind, the ACSC fully supports this new movement to support broader public sector collaboration on the security challenges we all face.
Unfortunately, history informs a healthy skepticism that any significant progress will be made soon. Just last week, three of the top cybersecurity officials at the FBI were reported to have left their posts. Earlier this year, the White House chose to eliminate its “cyber czar” National Security Council position, preferring instead to merge it with other roles. When the ACSC discussed the changes in its regular meeting of New England cyber defenders and the role of public/private communications on security, members restated recurring complaints that the government considers information sharing a one-way exchange, suited to provide value to the government without any in return. That the most recent report declassifies information that the government received as much as four years prior doesn’t bode well for the expected timeliness of valuable intelligence.
Furthermore, industry has emerged as better positioned to defend the country against cyberattack. The ACSC has recently observed an increasing shift of cybersecurity talent from government to the private sector. Even areas of traditional strength within the US intelligence community, that of human intelligence, is one that is rapidly emerging as a private sector competency.
Over the past few years we crossed a tipping point where cyber professionals in the private sector outnumbered government positions. It’s clear many of those professionals came from a government or military background. But as the industry grows the expertise has diversified out into private organizations. Yes, the government still has incredible expertise, but the private sector is starting to match their abilities -- at least on defense -- and the government realizes there is value to all parties through collaboration.
In addition, training that was often learned on the job at government sites, or through government contractors, are now being taught from the high school level through the university systems. The Cybersecurity Education and Training Consortium (CETC) is a project between the University of Massachusetts and the ACSC and involves 36+ training programs from 10-week certification programs all the way through to Ph.D.s.
Trust between the public and private sectors continues to be a major impediment. After sitting down with local experts to examine practices for unlocking trustworthy public/private collaborations, especially between industry and law enforcement, John Ellis, an ACSC intern, reported that, “the challenges ... seem insurmountable.” But, he continued hopefully, “As those with expertise in law enforcement and in the corporate sector come to understand the advantages and the risks of each investigation and the pivotal role that security of information plays in asset loss, many instances national security, investigative policy, procedures and law will evolve.”
Despite the advantage that industry has shown in capability, the ACSC continues to advocate the need for strong public/private partnership on cybersecurity. For one, the US government can wield great authority when issuing warnings about threats. This week’s news is a perfect example -= the threat to the infrastructure was first reported in September last year in Fortune, but it was the recent announcement that sparked headlines around the country. Also, when community-level challenges are addressed by industry alone, solutions tend to favor those organizations with greater resources. While sophisticated companies are generally able to defend themselves from attacks, other organizations that we depend on, including vendors, business partners, municipal offices, public officials, law enforcement, etc. face a widening accessibility to security gap that can be best addressed by state and federal agencies. This function becomes one of particular urgency when we face broad attacks that affect the whole community, such as the Mirai botnet attack that brought down Internet access in the Northeast, and the NotPetya ransomware that disrupted hospitals and shipping operators alike.
The ACSC ardently submits that a strong relationship between the public and private sectors will improve regional and national cyber capabilities. As a federally-recognized Information Sharing and Analysis Organization (ISAO), building security coalitions is what we are specifically chartered to do. To that end, we regularly share effective practices. Perhaps one of our most ambitious endeavors is our current collaboration with the Department of Homeland Security and our members to develop cyber simulations that test our ability to respond collectively to community-level cyberattacks, and a three year plan to develop an exercise framework that will enable others to conduct the same simulations. We hope to improve both an individual organization’s cyber resiliency and improve relationships with local government officials who can assist in a larger event.
The Private Sector is Increasingly Sophisticated
In the end, we all have the same goal, to keep our country up and running without interruptions to the daily flow of private life, commerce, and government. As Americans slowly come to the realization that a cyber attack is a new domain of war, those on the front lines should do all we can to ensure those disruptions don’t happen. Let’s keep reaching out and connecting -- improving detection, response, and recovery. Let’s use all the arrows in our quiver.