Congress is in the process of debating legislation that would dedicate funds to improving public-private collaboration and information sharing relevant to cybersecurity.
The debate centers on the fact that no one really knows at this point what a successful public-private partnership within the cybersecurity ecosystem should look like. The protracted government contracting process can sometimes restrict outcomes and cause delays. The commercial sector is traditionally wary of allowing too much government involvement to slow them down. Optimizing the balance of that relationship is a key concern.
The legislation before Congress is part of the National Defense Authorization Act (NDAA), and in July, Rep. Jim Langevin (D-RI) introduced an amendment to the House NDAA bill that would establish an office within the Cybersecurity and Infrastructure Security Agency (CISA) that is dedicated to the collection and sharing of “essential statistical data on cybersecurity, cyber incidents, and the cyber ecosystem” among government agencies and private industry.
This was a policy measure recommended by the Cyberspace Solarium Commission in a report released in March 2020.
“We’re all really aware of the complexity of the risk, so it only makes sense to bring folks in who have different viewpoints and different priorities to start talking about proactive work,” said Andrea Schaumann, director of federal programs and partnerships at Fortress. “How do we make things safer for everyone, especially leveraging data and resources and access so that either private or public organizations that don’t have as much access to those things can still benefit and still shore up those weaker links so that they’re not creating vulnerabilities for the entire ecosystem.”
That certainly sounds like something that everyone both in the government and the private sector should be eager to embrace.
“You want to have a high-trust environment where everybody is incentivized and motivated to share and be collaborative to reduce risk versus isolating folks so that they have their own individual priorities or competing deadlines,” said Schaumann.
As a threat intelligence firm, Fortress has one foot in both the public and the private sides of the cybersecurity ecosystem and a unique perspective on both.
Everyone is coming to the table with similar goals with security as the primary mission, but public and private organizations are coping with different constraints and competing priorities within that regulatory environment.
To make ourselves more secure, we must be able to share information not just about successes but also about what didn’t work or could be improved. Anytime information is siloed strictly within the government or the commercial sectors, there are going to be blind spots for both, and that makes both vulnerable.
“Improving public-private partnerships creates the opportunity for data sharing and also eliminating redundancies, which overall saves both the government and the commercial sector money and time and provides strength in numbers,” said Schaumann.
Additionally, leveraging those partnerships is key to mitigating the fatigue of constantly being on guard. The public and private sectors have both increased their defenses in the wake of recent incidents like the SolarWinds intrusion and the disruption of the Colonial pipeline, but a shortage of people and resources can sometimes make it feel like we’re just waiting for the next vulnerability to pop up rather than reacting proactively to prevent problems in the first place.
That’s where collaboration can really make a difference.
“Bad actors aren’t differentiating the way we do,” said Schaumann. “They’re consistently prodding the system and trying to find vulnerabilities, whether they fall in the public or the private sector. They’re after the data. The more valuable the data or the more vulnerable the data, the more attractive it becomes.”
Collaboration — sharing of resources — is how we alleviate that problem. The alternative is to just give up, but with the threat landscape broadening, that isn’t an option.
“Of course we’re going to stay vigilant, of course we’re going to continue to try to leverage smarter solutions, more aggressive, more proactive solutions, because there’s no doubt that this is the next battlespace,” said Schaumann. “I think that’s why you’re seeing the government prioritize the creation of these cross-functional teams.”
Listen to the entirety of Andrea Shaumann’s appearance on the Defense and Aerospace Cyber Report here.
If you need help navigating the cybersecurity ecosystem, schedule some time to speak with an expert.