When Ivanti devices were hacked earlier this year, the company's participation in an industry-government collaboration gave the Cybersecurity and Infrastructure Security Agency a “head start” to combat the vulnerabilities, the agency's director said Wednesday.
The cybersecurity firm linked an attack on Ivanti products in early 2024 to Chinese hackers, and the breach ultimately impacted CISA itself. In April 2023, Ivanti joined the Joint Cyber Defense Collaborative, a project that has been panned by some, and CISA officials have acknowledged there is room for improvement.
“This collaboration gave us a head start working with you when we discovered the vulnerability in January,” CISA Director Jen Easterly, who has led the agency since 2021, said at an event hosted by Ivanti. While there were “some tough days” early on in the collaboration with CISA, she said, working with Ivanti and the government to raise the alert shows how far the agency has come.
Easterly also praised Ivanti's cybersecurity commitment, announced last month amid a string of security incidents. The “very encouraging” pledge, he said, “should serve as a model for other CEOs on how to incorporate not only security-by-design principles, but also how they talk about corporate cyber responsibility.”
The JCDC is part of a constantly evolving and constantly debated “public-private partnership” between government and the private sector.
At the same Ivanti event, Easterly's predecessor, Chris Krebs, talked about building collaborations between the federal government and industry, from the Cyber Defense Joint Organization to the National Risk Management Center (a “prototype” version of the JCDC). He said that years of efforts to achieve this goal are bearing fruit. he told the National Security Agency's Cybersecurity Collaboration Center.
“These efforts are beginning to pay off with the resources and time invested. They are also producing results. “I don't think there's any evidence of success as much as size,” said Krebs, now Sentinel One's chief information and public policy officer.
Also at the event, FBI officials said Congress needs to renew liability protections for companies that share cyber threat data with the federal government before they expire next year. Congress established those protections against lawsuits under the Cybersecurity and Information Security Act of 2015.
“One of the things we really need to do is protect what's already working,” said Brian VaughanDran, deputy director of the FBI's cyber division. “This is something that should continue as an essentially clean bill. It gives [the] The private sector is afforded very specific protections. ”
The threat intelligence sharing program established under the 2015 law has had its own problems, but a January watchdog report said “sharing has improved” over the past few years.
