Improving Cybersecurity Requires Building Better Public-Private Cooperation
Cyber threats have a long reach. What seems like a low-level cyber incident can have a larger ripple effect, impacting millions of innocent people. A password breach that occurs in a private company, like Colonial Pipeline, can end up taking down sections of the critical infrastructure, for example. The line between attacks on the public sector and private interests are blurring, and now, with new directives and initiatives from the Biden Administration — along with new departments within federal agencies — the government seems committed to collaborating with companies to address emerging cyber threats.
Both government agencies and private vendors already see the value in building partnerships. Pat Gould, Defense Innovation Unit (DIU) Cyber Portfolio Director, says, “Partnering with the private sector is critical for advancing our mission of accelerating commercial adoption of technology across many sectors, especially in cybersecurity.”
The private sector view is similar — the need to collaborate is critical, and it is about time that efforts are being made to facilitate such a partnership. Initiatives like the National Cybersecurity Strategy, for example, are bringing in private-sector security vendors to share threat information or provide solutions and tools that are beyond government scope.
Mick Baccio, global security advisor with Splunk, admits the ability to work together has been hindered by the private sector’s inherent distrust of government, especially as administrations and congressional leadership changes.
“Building credibility is tough to do in this atmosphere,” says Baccio, “but thanks to a push by the current administration, the continuity that cybersecurity and the private/public partnership needed is finally in place.”
Executive orders with guidelines to facilitate improved security across the supply chain, for example, can be canceled the moment a new president takes office. The Cybersecurity and Infrastructure Security Agency (CISA) is one of the government agencies attempting to bake public-private cybersecurity efforts into its mission.
Government’s Role in Collaboration
There are a few agencies that are uniquely set up to focus on collaboration with the private sector. Beyond its high-profile work in keeping voting systems safe, CISA is responsible for securing critical infrastructure in cooperation with companies.
The FBI has worked closely with both public and private entities for years, but as cybercrime — particularly ransomware — ramps up, so too has the outreach from the FBI to the private sector.
Many other agencies also have similar security-related outreach built in, like the Department of Energy. Because many areas of the energy critical infrastructure are owned and operated by corporations, the department needs to build partnerships not only to keep the infrastructure safe but also to prevent disinformation and misinformation that could cause a national panic. (The Colonial Pipeline cyber incident is a prime example, when poor communication led to gas shortages on the East Coast.)
The Cybersecurity Collaboration Center (CCC), part of the National Security Agency, was established three years ago, and it signifies a shift in how the government works with private-sector vendors to share information and expertise to scale mitigations, according to the center’s chief, Morgan Adamski.
“We’re looking at the quality of our relationships over the quantity,” Adamski said during a 2023 RSA Conference panel on public-private partnerships. She said CCC will share threat analytics with cybersecurity companies that have the broadest outreach, which could provide protection for billions of customers.
Some argue that this trickle-down information sharing hampers security efforts, however. “The argument is that working with fewer but larger vendors will minimize the chance of leaks while protecting the most people because they’ll have more threat intel to share,” Mike Wiacek, founder and CEO of Stairwell, wrote for Dark Reading. “But I would argue that making the research collaborations more inclusive would not only level the playing field among vendors but also increase the diversity of threat intel sources and apply more human expert intelligence to the problems.”
What Private Vendors Bring
Innovation comes from small companies, which file more than 14 times more patents in the US than larger businesses and universities do. Government and large enterprise rely on strategic partnerships with smaller security vendors to build out their cybersecurity programs.
Government is more than federal agencies, says Merlin Cyber CEO David Phelps. States, counties, and especially municipalities don’t have large budgets or staffing to manage cybersecurity needs.
“They need the outreach to the private sector to help address cybersecurity concerns,” Phelps says.
Vendors may have a better — or at least different — view into the threat landscape and can work quickly to come up with the right tools or solution for a government entity at a more affordable rate than is charged to the private sector. Not only can community governments take advantage of the lower cost, but because they are using an approved government vendor, they now have federal oversight.
Having similar tools, knowledge base, threat landscape, and product behavior as businesses gives CISA a broader view of what’s happening across a larger swath of the critical infrastructure.
“By actually having government entities of all sizes using the same platforms, threats will be a lot more visible as an ecosystem,” says Phelps.
The value of having partnerships like this is having a private sector that has the flexibility and the funding to investigate threats in ways that government can’t. Larger businesses within the private sector can invest in startups who are developing cutting edge technologies. This agility and scalability are among the most important contributions the private sector provides.
United Against Ransomware
The fight against ransomware is a good example of a public-private collaboration. The FBI actively works with private vendors to not only identify ransomware, but also to defend against ransomware crime rings and nation-state actors. Partnering on this type of attack works well because ransomware attacks tend to have a lot of similarities.
“Because all of the actors use the same tools and services, all of our options increase,” explained Cynthia Kaiser, deputy assistant director with the FBI, during the RSA panel. For example, in 2019, government agencies learned that a global Russian-distributed botnet was using a US company to implant malware in millions of devices. The FBI worked closely with that company and different government agencies to find a solution to counter this malicious activity and to cut off the command-and-control infrastructure of the global botnet before it could do any more damage.
When there is an incident, the most vital pieces of information come from the victimized organization. The victims become partners with government agencies, sharing details about what happened and what they continue to see happening in their networks. The government agencies gather that information and help the companies put the threats into context.
“A key part of collaboration is that it is bi-directional, and it’s critical that people come early and often to that trusted relationship to have the [cybersecurity] conversation,” said Adamski.