When it comes to public and private collaboration, it’s time for government to step back and let industry have a turn at the wheel, cybersecurity experts and government officials say.
In a panel discussion titled “Before Things Go Boom: Improving Government and Industry Cooperation Before it’s Too Late” at the New America think tank Friday in Washington, officials from both the private and public sector discussed the need for collaboration in light of the Trump administration’s recent executive order on cybersecurity.
The executive order largely calls on federal agencies and departments to conduct a series of internal, comprehensive reviews of their digital defenses. By collecting a reasonable measure of existing protections, the White House hopes to better allocate funding.
Kiersten Todt, executive director of the Presidential Commission on Enhancing National Cybersecurity, said that thoughtful, industry-driven relationships and engagement prior to major cybersecurity events will lead to the trust necessarily for improved information sharing.
“Government does incident response really well, but we don’t focus enough on what happens before the event, because at that point we haven’t developed those relationships,” Todt said as part of the panel.
The key to greater collaboration is finding the mechanism that allows government to work productively with industry. “Government has failed on this piece up to this point,” Todt said.
Rick Howard, chief security officer of Palo Alto Networks, agreed with what Todt called the “Reagan model” of collaborating. “Here’s what it really means in practicality: Find reasons to get into a room together and drink beer together … because you start to know that person on a one-to-one basis,” Howard said.
Efforts made by National Institute of Standards and Technology have been successful in the past because “we let industry identify where the key issues were and work with government,” Todt said.
The value of government, Todt said, is its knowledge on nation-state actors, ability to provide incentives, and policy. But in order for this to be useful to industry collaborators, the government must clean up its classification system to avoid using over-classification as an “excuse” to protect government information that has not been organized.
David Weinstein, CTO for the State of New Jersey and New America Cybersecurity Fellow, said government often wants to be the driver for public-private partnerships, but it also shrinks away from moving beyond the federal government in cybersecurity issues.
This lack of emphasis on state and local cybersecurity is a “gaping hole” in the recent executive order, Weinstein said.
Both Howard and Todt stressed that collaboration and harmonization of regulations must also extend to the international front. Hackers are no longer teens in basements, Howard explained, “these organizations have vast infrastructure … we just need to start building that coalition.”