- The federal government is using the same products as companies in the private sector, Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, and founding partner at Krebs Stamos Group, said during the virtual Gartner IT Symposium/Xpo Wednesday. If the government can influence commercial software vendors to attain a higher security standard, private sector companies will benefit.
- President Joe Biden's May executive order demands deeper security accountability for software development. "By upping the requirements, the security expectations of these products, the government is finally moving into one of its greatest points of leverage, and that is the power of the purse," Krebs said.
- For some technology vendors, the government is their largest customer. Krebs expects that when these vendors improve their build environments, private sector customers will benefit too.
The success of some of the initiatives in Biden's order is dependent on private sector cooperation.
"If you accept your own mortality, and that you have control over what your network looks like, that puts you in a position to make good decisions on how to better defend," Krebs said. "I have a lot of hope that going forward, there will continue to be improved defenses, particularly in the most critical of industries in the U.S. And that the government is going to be a partner and not an inhibitor."
"Where it all starts is right here, with this team — the CIOs and CISOs. We all are a part of this bigger defensive collaborative," he said.
CISA has made efforts in recent months to further strengthen the public-private partnership. In August, the agency announced the Joint Cyber Defense Collaborative (JCDC) to address four main areas of security: information sharing, developing comprehensive cyber defense strategies, exercising those plans and implementing the plans into operations.
The agency also published a "bad practices" catalog to document "inadvisable cybersecurity" practices. "It's kind of a negative learning moment flipped on its head to provide assistance," said Krebs.
CISOs can use anecdotal evidence of attacks on other organizations, and assess the poor practices that might have led to them, when presenting to the board. CISOs are focusing less on presenting security to their stakeholders, and more on risk. CISA aims to support that.
CISA is meant to be seen as the nation's risk advisor, Krebs said. "That is really the untapped space of opportunity to provide risk management advice and understanding to executives that handle a wide array of business risks."
The agency was designed to be a voluntary sounding board for companies and security leaders. CISA is also untouched by regulatory authorities other agencies use to "generate reactions and outcomes in industry," said Krebs. "CISA has almost none of those." As long as CISA knows its place, it will continue to draw more companies to engage with the agency.
But the agency still needs greater authority, at least over other federal departments. CISA Director Jen Easterly wants to see the Federal Information Security Management Act (FISMA) codify CISA as the operational lead for federal cybersecurity, where ideally agencies would transition to more operational risk management.
Additionally, Easterly wants to see incident notification legislation to facilitate information sharing with CISA. Without it, the agency cannot provide relevant information to potential targets.
The agency had to, and is still working toward, "distilling out from the government's unique holdings," to overcome a profit-driven approach, Krebs said. "Instead, the government can kind of eat that loss" and share relevant threat or adversary information from even classified spaces.
Information sharing that is too broad has limited success, according to Krebs. "They're so amorphous and they don't have a lot of crispness in what you're trying to achieve from an objective perspective."