- The Cybersecurity and Infrastructure Security Agency (CISA) is partnering with high-profile security, technology and telecommunication companies to encourage public-private cooperation in national cybersecurity. The partnership will work across four main areas: information sharing, developing comprehensive cyber defense strategies, exercising those plans and implementing the plans into operations.
- CISA launched the Joint Cyber Defense Collaborative (JCDC) to conceptualize planning "against the most significant cyberthreats facing our nation," Jen Easterly, CISA director, said during the Black Hat keynote Thursday.
- Initial members of the JCDC include CrowdStrike, FireEye, Microsoft, Google, AWS, AT&T, Verizon, Palo Alto Networks and Lumen. The first two initiatives of the private sector partners are focused on combating ransomware and developing a framework for how to respond to cyberattacks on cloud providers.
JCDC was a concept in part created by the Cyberspace Solarium Commission (CSC), which National Cyber Director Chris Inglis was a member of. "I wanted to call this thing the advanced cyber defense collaborative, but the lawyers wouldn't let me," Easterly joked.
As CISA's second-ever director, Easterly wants to "breathe new life into these arguably hackneyed terms, turning public-private partnership into public-private operational collaboration," she said.
Government and private industry has always encouraged information sharing but it lacked effectiveness. Companies have many avenues to share or access insights, including:
- The FBI's Internet Crime and Complaint Center (IC3), tip submission system or InfraGard
- CISA's automated indicator sharing (AIS)
- Industry Sharing and Analysis Centers (ISACs) across different industries
Sharing too much in security can create a dilemma from a business standpoint — companies could risk exposing their vulnerabilities. But by remaining silent, they could risk letting others remain vulnerable, too.
Non-technical or security personnel discourage information sharing due to misunderstanding data relevant to cyber when compared against strategic business data, which is an internal business issue. However, security leaders have proven information sharing improves a company's security posture, according to a survey by Ponemon Institute sponsored by Neustar.
Likewise, the federal government has not always been willing to share what it knows citing classified information. It makes the transaction between the public and private sector feel one-sided for companies.
As the public confronts a growing number of cyberattacks, the current administration has made cybersecurity a priority.
"I believe it is all about the priority and messaging this administration has put on the cybersecurity challenges," Vanessa Pegueros, chief trust and security officer at OneLogin, told Cybersecurity Dive in an email. President Joe Biden's executive order in May "strongly signaled the actions around this public-private partnership," declaring national cyber defense requires participation from both sectors.
CISA is a federal agency built on collaboration. Before the agency was established in 2018, the federal government acknowledged a gap in cybersecurity coordination between the public-private sectors. The JCDC is the latest attempt to bridge those gaps as the U.S. is recovering from at least two cyberattacks that impacted the public by halting the companies' respective supply chains.
"Timing is everything. I believe public awareness around cyberattacks is at an all-time high," Pegueros said. Because businesses are losing more money more frequently, "these realities will improve the chances of success of an effective public-private partnership, granted the approaches may be very different from what has been taken in the past."
The JCDC intends to combine expertise from the intelligence community, Department of Defense, Cyber Command and the private sector. "To some extent, some of these activities are already going on across the federal government, but they're largely in stovepipes," Easterly said.
"It also means being able to leverage the power of the federal government," Easterly said, referring to agencies with sector-specific cybersecurity requirements.
For example, in light of the Colonial Pipeline ransomware attack, the Transportation Security Administration (TSA), for the first time, implemented required cyber directives for pipeline owners and operators and the Department of Energy is watching cybersecurity "performance goals" set by the Biden administration.