SAN FRANCISCO – America is in a perpetual state of defense and the nation’s cybersecurity chiefs concede many must-haves and must-dos remain undone.
Risk is spreading at every level. Threat actors are actively exploiting vulnerabilities and cybercriminals are catching businesses off guard.
Yet, federal authorities are still identifying roles and responsibilities, strengthening collaboration between agencies and enterprises, and developing more nuanced frameworks for advisories.
Bureaucratic morass slows some of these efforts within the government, and more broadly education and talent development needs remain unmet. But, U.S. cyber leaders are trying.
The federal government is well into a years-long push to forge more cohesion and coherence across cyber defense, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said Tuesday at the RSA Conference.
The National Security Agency (NSA), FBI, CISA, the Office of the Director of National Intelligence and the Secret Service are all sharing expertise and threat assessments. This, on top of coordination with multiple executive departments, allows the authorities to better plan and operationalize the response to private-sector threats.
These efforts were previously divided by agencies, which limited their abilities. But no more, said National Cyber Director Chris Inglis on the panel. “If you’re a transgressor in this space, you have to beat all of us to beat one of us.”
The cross-agency collaboration required a more fluid flow of information. To help, officials are declassifying intelligence and collaborating with enterprises, tech giants and cybersecurity vendors to identify and connect the dots required to “drive down risk to the nation at scale,” Easterly said.
On the eve of Russia’s invasion of Ukraine, CISA instituted the Shields Up initiative to warn and advise organizations on how to prepare for Russian government cyberattacks.
“We should never be shields down,” Easterly said, but CISA is considering a new advisory framework to provide more detail about each unique threat to avoid remaining at the highest alert level for an extended period.
This framework would include a specific window of time, locality where applicable and what the U.S. government knows based on its own intelligence, she said.
“It is hard to strike that balance,” NSA’s Director of Cybersecurity Robert Joyce said on the panel. “We really do know that there is bad intent out there but we may not know the specific where it's going to strike.”
Likewise, the U.S. government doesn’t know when and what is going to happen, Inglis said. It strives to improve on that front by combining the insights and capabilities of all federal agencies, and effectively “crowdsource [transgressors] the way they’ve crowdsourced us,” he said.
The focus remains on providing relevant, actionable and timely information that network defenders can use to increase network security and resiliency.
“I think all of us realize now the goal is not prevention. We're not going to prevent bad things from happening,” Easterly said.
It starts with the basics. Enterprises can dramatically reduce risk by patching known exploitable vulnerabilities. They also need to implement multifactor authentication by default, practice password hygiene and protection, update software and check twice before clicking on suspicious links.
While the government can demystify and communicate the importance of security best practices, much still comes down to individual responsibility, Easterly said. “The problem is we just don’t communicate these concepts very well.”
The federal government wants to lead by example but still needs to get its house in order, and it’s 82% of the way there, Inglis said. “The government is trying to put its money where its mouth is in driving these practices into the supply chain that feeds to government.”