All hands on deck: Gov officials call for cybersecurity help from…everyone

Going up against a highly organized set of attackers requires a highly organized set of defenders, said a roundtable of government officials this week.

At RSA 2022, panelists from the Cybersecurity and Infrastructure Security Agency (CISA), NSA, and the Executive Office of the President emphasized the importance of collaboration with industry—a collective, equipped defense of government and the private sector.

Ransomware “kind of has organized as a syndicate,”  said National Cyber Director John Inglis: “It’s a syndicate operating against us. How can we respond with anything less? It takes a network to beat a network.”

Let’s collaborate

In August 2021, CISA formed the Joint Cyber Defense Collaborative—a private-sector alliance with over 20 partners, including Google Cloud, IBM, and Microsoft.

“They have incredible visibility that we just don’t have,” said CISA director Jen Easterly, referring to the JCDC partners. “It’s not lost on anybody that SolarWinds was not discovered by the US government; it was discovered by a private cybersecurity vendor.”

The collaborative efforts have extended to Shields Up—a CISA program aimed at helping organizations protect their critical assets and defend against cyber intrusions, particularly from Russia.

Them versus all of us

To help network defenders large and small maintain their shields, according to the RSA speakers, organizations need a baseline of best practices: a focus on known exploitable vulnerabilities, said Robert Joyce, cybersecurity director at the NSA; the deployment of multi-factor authentication, said Easterly; and a determination of roles and responsibilities, according to Inglis, especially along supply chains.

“What is the responsibility of somebody who builds the piece parts? What is the responsibility of the other members of that supply chain who essentially then pass that on and integrate that into successively more complicated kinds of things? What’s the responsibility of government? What’s the responsibility of the private sector, so that this person doesn’t stand alone in this skirmish with the cyber transgressors?” asked Inglis.

A super alliance of industry, government, and individuals is more about preparation than prevention, said Easterly: “We’re not going to prevent bad things from happening. We need to ensure that we are building systems, and architecting infrastructure, and frankly, developing people to be resilient, to make sure that we can detect things early, that we can respond, that we can recover.”

The “bottom-line slogan,” according to Inglis: “If you’re a transgressor in this space, you have to beat all of us to be one of us.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.