Public-Private Partnerships
Governments, businesses, and consumers face a constantly evolving cyber threat landscape. With the introduction of new technology at a faster pace than ever before the attack vectors increase greatly. The sharp rise of internet-enabled devices in government, industry and the recent trend of work-from-home, exacerbate this already difficult challenge. The challenges we face are too significant for one company or entity to address on its own. We need collaboration, and one effective model of collaboration is through public-private partnerships.
Trellix staff has been active in public-private partnerships managed by DHS, NIST and other agencies for more than 10 years. We have and are participating in the President’s National Security Telecommunications Advisory Committee (NSTAC), Information Technology Information Sector Coordinating Council (IT-SCC), the Joint Cyber Defense Collaborative (JCDC), and National Cybersecurity Center of Excellence (NCCoE).
There are multiple types of collaborations needed in support of cybersecurity, cyber threat intelligence, defensive product interoperability and cybersecurity frameworks and standards.
An example of productive collaboration in cybersecurity frameworks and standards is the Framework for Improving Critical Infrastructure Cybersecurity, known as the NIST Cybersecurity Framework (CSF). This collaboration is widely acknowledged as a highly successful model of public-private collaboration. The CSF is considered the Rosetta Stone for cyber risk management and is currently being adopted globally by government agencies, critical infrastructure companies and businesses of all sizes. The NIST approach succeeded because policymakers and the private sector defined a real need, improving the security of critical infrastructures; the development process was open, NIST listened to the private sector, built trust with key stakeholders; and the final product, a flexible framework, was based on voluntary collaboration, not rigid regulations. Policymakers should keep in mind the successes of the NIST Cybersecurity Framework and subsequent NIST collaborations as a positive way to get to their desired outcome.
No one organization or vendor has a complete picture of the cyber threat landscape and as such, it is important that defenders share the cyber treat intelligence they discover so a bigger and more complete picture of the existing threats emerges. Efforts such as the Cyber Threat Alliance share cyber threat intelligence so that its members can turn that information in actionable data, incorporated into cybersecurity products to better protect their customers. Sharing efforts such as ISAOs and ISACs and Sector Coordinating Councils provide a means to share information within specific communities.
A public-private example is the Joint Cyber Defense Collaborative (JCDC), which is bringing together public- and private-sector partners to leverage and unify the respective capabilities, authorities, and expertise of its diverse group for the benefit of the entire nation.
What's at Stake
Trellix believes that collaboration in cybersecurity is the best way to defeat malicious cyber actors and secure our networks, data, infrastructure and even lives. We believe that strong, voluntary public-private partnerships are the best path forward to solve the grand cybersecurity challenges we face. These partnerships promote trust and innovation and are far better suited to produce long-term success than overly restrictive and trust-eroding government mandates and regulation.
We believe technology enabled with strong collaboration must be deployed rapidly to security platforms, so they communicate with each other over open communication protocols. Such technology must be guided by the strategic intellect that only humans can provide. Thus, the only way to have a winning cybersecurity strategy is to bring technology, the cybersecurity industry and the efforts between government and the private sector together. This is what real collaboration is all about.
Recommendations
Policymakers should be wary of imposing cybersecurity mandates and regulations and should instead support voluntary collaboration and use of industry supported standards and best practices. Industry should support accountability on cybersecurity and should dedicate increased budgets and increased managerial and organizational focus on cybersecurity.
Policymakers have taken initial steps in the 2015 Cybersecurity Act to incent information sharing via liability protections and clarified antitrust rules, to help open up broad-based threat intelligence exchange between the private sector and the government, and among private sector entities. However, too few companies are actively sharing threat information with the government and among themselves. This restricts the realization of our goal: a high functioning ecosystem of information sharing that enables the public and private sectors to compete with global networks of sophisticated, well-resourced malicious actors.
The community needs to successfully operationalize shared threat intelligence so we can more rapidly take advantage of near real time information for defensive purposes.
Federal agencies should declassify larger categories of threat data and actively share them with the private sector.
DHS should issue many more security clearances to qualified company representatives to enable access to the most sensitive, and potentially most valuable, pieces or classes of threat data.
The administration should pass into law a Cyber Information Sharing Tax Credit provision which would incentivize businesses of all sizes to join sector-specific information sharing organizations, known as Information Sharing and Analysis Organizations (ISAOs) or Information Sharing and Analysis Centers (ISACs), by providing refundable tax credits for all costs associated with joining.
The public and private sectors must work together to better understand the current and emerging operational cyber threats. Only by doing so will we allow ourselves the opportunity to better deal with protecting what is critical to us.