More than two years ago, the just-minted director of the US Cybersecurity and Infrastructure Security Agency (CISA) used her speaker’s role at Black Hat to call for new partnerships between the federal government and private industry. The result of Jen Easterly’s call has been the Joint Cyber Defense Collaborative (JCDC), a public-private partnership (P3) that has seen cooperation on developing cyber defense planning, effective government-industry coordination mechanisms, common metrics of operational effectiveness, and more.
Now, CISA has announced JCDC’s priorities for 2024. These recommendations are reasonable reflections of the threats facing American cybersecurity stakeholders, and their scope falls in line with P3 activities from the previous two years. At the same time, CISA faces criticism from voices that see JCDC efforts as too limited at such a critical time for America.
This year will involve an unprecedentedly contentious presidential election — amidst an avalanche of other national elections around the world — at the same time as the United States attempts to develop new approaches to artificial intelligence risks, varied cybercriminal activities, and conflicts spread across Europe, Asia, and the Middle East. The United States clearly needs effective cyber P3, but if JCDC remains “infantile” in form, as the Departments of Treasury and Veterans Affairs Deputy CISO put it, perhaps there’s more that industry could do to lead the defensive mission.
Bottom-up approach to public-private partnership needed
A core lesson of the 21st century so far is that cybersecurity is a shared interest and a shared responsibility. Top-down P3 efforts led by CISA include much that we might laud, particularly in terms of the principles of collective collaboration on national security espoused by Easterly and her predecessor. However, the practicalities remain lacking for cybersecurity teams and professionals.
A better cybersecurity future for American industry — including a more prosperous business outlook and a more stable digital security threat landscape — must build from the bottom up to meet the potential of work like that being done by the JCDC. At worst, actions like the ones suggested here will help more rapidly develop the foundation that top-down efforts presently seek to develop. At best, private-led P3 could help harden the target of American society in ways that have traditionally been hard to envision.
Joint Cyber Defense Collaborative’s 2024 priorities
The development of JCDC efforts since 2021 has emphasized strategic coordination between the United States’ private and public cybersecurity stakeholders, as well as international or multinational organizational partners. The initiative has done well in speaking to strategic interests and creating alignment about risk mitigation, defense response, common measurements, and more. It’s where these efforts have encountered operational and tactical realities that the JCDC is seen to be falling short.
This dichotomy of successes and shortcomings makes sense as an institutional-cultural problem. CISA and related federal stakeholders have been remarkably resistant to adopting the language of risk that dominates the cybersecurity practice, preferring instead to couch national objectives in line with the nomenclature of societal interests, political objectives, and geopolitical security. The result of this mismatch of frameworks has clearly had an impact on CISA’s thinking with the JCDC’s 2024 priorities appearing to hew the line between strategic imperatives and the operational missions involved:
Defend against advanced persistent threat operations
This priority emphasizes the critical need for better defense against malicious foreign advanced persistent threat (APT) actors with a focus on China-linked threats to critical infrastructure. The priority calls for a shift in emphasis away from preparedness and espionage capabilities toward the building of active defense capacities that can blunt threats against critical national functions. This will include the publication of a new National Cyber Incident Response Plan (NCIRP) soon.
Raise the cybersecurity baseline
The second JCDC priority focuses on the baseline of cybersecurity investment and resultant defensive activity in the US, with CISA essentially staking out a position that foundational cybersecurity practices remain lacking across industry. These active operational commitments will provide greater support for election infrastructure defense, promote ransomware mitigation practices, and make progress on technology that is more “secure by design” than ever before. While this final point seems aspirational, it speaks to the influence of technology vendors in the JCDC process — something that has drawn criticism from more conventional cybersecurity stakeholders.
Anticipate emerging technology and risks
Finally, CISA continues to look to emerging technological risks and wants to limit the threat posed to American critical infrastructure by artificial intelligence (AI). This priority and its related operational implications are understandably the most vague of the statements JCDC is making. Despite an attempt to link strategic imperatives to operational missions, it is difficult to see from where tactical mission parameters and program developments useful for industry will emerge in 2024.
5 ways for industry to shape public-private cybersecurity collaboration
One of the greatest shortcomings of the JCDC consistently addressed by federal officials lies with access to the resources needed to coordinate a complex collaborative sufficient to more effective cyber defense of the nation. However, planners and administrators from CISA and related parts of government like Treasury or Veteran’s Affairs make a mistake often seen in major P3 initiatives: The fact that we call them public-private partnerships doesn’t necessarily mean that public stakeholders come first as the foundation for effective collaboration.
Public resources and coordinating bodies cut across a complex landscape of industry interests, capabilities, and know-how, but private-led initiatives often excel at providing the consumer/citizen context, the technical awareness, and the political capital needed for building effective security practices. Here are five ways private organizations can help shape those practices:
1. Leverage collective agency
A common trope about cybersecurity collaboration is that web technology development and operation have all the hallmarks of a serious collective action problem. To some, the costs of collaboration outweigh the benefits to be gained, particularly as data sharing or commitments to P3-style initiatives manifest as greater external scrutiny of practices and added investment and not more tangible forms of systems defense. That, combined with the line that vulnerabilities will likely outstrip actual attacks by an order of magnitude, makes the case for “top-down” initiatives — as former director of CISA Chris Krebs often labeled them — as a necessary driver of P3 activity.
These arguments fail to hold up in a world where malicious APT groups and criminal actors target small and large companies alike. The idea that American industry is digitally interdependent on the actions of individual contributors is far more accepted than it might have been a decade ago. A whole-of-society approach that leverages collective agency to shape the P3 landscape in the US makes sense. But what might that look like?
One tangible step that cybersecurity stakeholders can take is to build the bottom-up infrastructure that can meet JCDC’s top-down strategic vision as it attempts to descend into tactical usefulness. This can be done by encouraging the development of volunteer civil cyber defense organizations while simultaneously lobbying the federal government for support of these entities. This kind of volunteer service model is an incredibly cost-efficient way to boost national defense, save federal government resources, and assure private stakeholders about their independence.
Civil defense groups, for which there are various existing models in partner nations like Estonia, are locally focused attempts to provide community-facing support relating to digital threats. They serve as ways to promote awareness, data sharing, community networking for crisis reaction, and dissemination of best practices among local constituencies. They avoid many of the strictures of affiliation with either government or specific companies that the public often places on community outreach. And they serve as ready-made, multi-capable helpers in times of crisis that often see actors like CERTs or CISA scramble to galvanize public-private networks of response.
Most importantly, civil defense groups can and should be supported by the government under crisis conditions. In other countries, the receipt of strong private support and encouragement by such groups has translated into situational compensation during response periods. Members with certifications and community roles can be compensated for incident response duties performed, something that encourages membership in civil defense organizations based on community and national concern.
The United States has a tradition of private support for such initiatives, including the pre-WWI preparedness movement and the WWII-era Civil Air Patrol, each of which helped develop strong working partnerships between industry and government based on shared civic interests and engagement. With cybersecurity, active support for a network of civil defense groups could also succeed along these lines, creating the foundation of shared private-civic interests and capabilities that CISA strategic efforts (and constrained funding!) can plug into.
2. Target constellations of influence
Related to the need for whole-of-society collective approaches for building better P3 efforts, private cybersecurity stakeholders should better organize their outreach. In part, this means that cybersecurity practitioners and their business counterparts should internalize the fact that speaking to the public about risks and vulnerabilities is a net positive for both firms and society.
Consider the example of Biden administration activity just prior to the 2022 launch of Putin’s invasion of Ukraine. By rapidly de-classifying threat information about Russian mobilization, the US government risked heightened vision into the intelligence activities of America’s defense community, even opening space for criticism about past support for Ukraine. Yet, what followed was the generation of powerful audience cost effects in favor of supporting Kyiv.
By framing Western vulnerability and know-how in the same pragmatic image of imminent threat, the Biden administration cultivated immense popular acknowledgement of the negative repercussions of not committing resources to a previously unpopular type of security support mechanism. The same kind of messaging on cybersecurity can only bring net benefits for industry cybersecurity stakeholders.
If the goal of the JCDC is at least partly to graft CISA’s map of strategic digital vulnerability onto civil and industry partnership collaboratives, then more direct attempts to build common understanding and demonstrate audience costs for inaction will insulate private actors whose messaging involves admitting vulnerability. It would also make the support of volunteer service intermediaries a much more tenable model for civil defense than anything that currently exists in the United States.
In part, better organization of outreach for industry also means being smart about which decision-makers and networks of officials are critical for selling a vision of private-led P3. Robust civil cyber defense as an aid to traditional crisis response and mitigation capabilities doesn’t just require accessing constellations of influence among the public. It also means access switchers and programmers in public service. Switchers are those people with the power to constitute and define networks dedicated to a purpose, such as technical experts who make decisions about how to deploy and manage technology that dictates how an organization operates. Programmers are those with the capacity to ensure that networks (e.g., security teams, companies, developers) can work together by ensuring common language, goals, etc.
Public-private partnerships are ostensibly about blending people like this together to produce a better outcome via collaboration than was previously the case. Unfortunately, as criticism of the JCDC emphasizes, top-down P3 efforts often fail to effectively do so due to the role of strategic parameters driving derivative mission parameters. If industry is to shape P3 cyber initiatives CISA’s more clearly toward alignment with practical tactical considerations, mapping out where innovation and adaptation comes from in the interaction of key individuals spread across a complex array of interacting organizations (particularly during a crisis) becomes a critical common capacity.
3. Use academia and the rest of the world
Related to this need for better mapping of the response landscape to aid outreach, industry stakeholders must eschew all notions of American exceptionalism (or, at least, the idea that the United States constitutes a unique attack surface). As already mentioned, foreign P3 activity is in many cases far in advance of what exists in the US and can serve as reasonable models for experimentation in building collaboration beyond what is proposed from the top on down. Moreover, incidents encountered by private actors in other countries can and should serve as a basis for collective efforts to actively model and prepare for future calamity.
There is a strong case to be made for building shared analytic resources that leverage not just the traditional technical focus of so many cybersecurity initiatives, but also the institutional-strategic focus that the federal government so often emphasizes. Here, academics and universities are obvious partners, particularly where partnerships can be developed within local and state-level communities.
Collaboration with the goal of learning more about the governance of cyber threat response and the interaction of strategic fallout with operational practicalities can only serve to enhance industry preparedness and, perhaps more importantly, generate popular awareness that is so critical for eventual P3 success. Scholars and pracademics (“practitioner-academics”) are often invaluable interlocutors for translating shared interests expressed in divergent fashion between public and private partners.
4. Improve workforce pipeline tie-ins
While it plays into each solution so far, perhaps the simplest step that private actors can take to signal greater buy-in to partnership with the public sector is greater engagement with the pipelines for workforce development. Higher education is constantly improving these pipelines. Community college cybersecurity programming is often geared toward public service with strong support from organizations like the NSA or DHS. Signaling support for such programs by hiring graduates and sponsoring events sends a strong positive message about what is working with federal outlays on national cybersecurity (as many firms already do). Working to strengthen these pipelines further by engaging pre-college students, lobbying localities for worker retraining support and more could take that signal much further.
5. Don’t spare cybersecurity vendors
Finally, as others have suggested, cybersecurity stakeholders can’t shy away from the fact that P3 initiatives like the JCDC is presenting are dominated by cybersecurity vendors. There are numerous reasons why this is unsurprising. Most significantly, vendors’ voices are often amplified by market share and the reality that many federal officials (the switchers and programmers) see national digital security futures as at least partly driven by design considerations. This dynamic does not change the reality that bottom-up collaborative security solutions in America are desirable beyond what current P3 efforts are providing.
Similarly, secure-by-design conversations must involve voices beyond vendors, the government, and the often-inexpert consumer. Security teams have a distinct responsibility to point out flaws in products, underlying infrastructure technologies, and new practices. Security teams can and should vote with their budgets against compromise solutions that are good enough but not sustainable or scalable to the standard of community security.