Ask Huntress CEO and co-founder Kyle Hanslovan about the future of the cybersecurity industry’s public-private partnership and you’ll get a long answer.
Hanslovan, who spent 16 years in US intelligence before launching Huntress a decade ago, is no stranger to the back and forth between agencies and the corner office. Add to that the reality of the federal government and its interplay with the states and you have a recipe for, if not disaster, certainly confusion.
IT Brew had a chance to catch up with Hanslovan in early August, and we asked him where the public-private partnership goes next in an era of budget cuts and an uncertain federal commitment.
This interview has been edited for length and clarity.
As we’ve reported, budget cuts have impacted cybersecurity programs at the federal level. The public-private cybersecurity partnership in the US has long been a point of pride for the industry—where are things at now?
At the end of the day, there is stuff that the government will not be funded to do. Today, it might be more on the states to handle things. Tomorrow, it could be more on federal, but I think we have to acknowledge that hope is not a very good strategy.
Private business is in many ways stepping up for some of that predictability… I’m not promoting vigilante hacking, but I think there should be a lot more collaboration when vendors and folks like us see mistakes.
Whether it’s a cybercriminal doing something and they leave a door open, or they leave a password available, I’m not so sure there shouldn’t be a rapid response capability in the government that says, “I found this mistake.” The government should be able to leverage it.
So it’s safe to say that you’re in favor of the public-private relationship?
Public and private relationships are critical, but we are still very immature on how we collaborate to support offensive operations against cybercrime and nation-state threat actors.
Sometimes it seems the government moves a little slowly on these threats. In the US we have federal and state governments, for example, with differing regulations and policies. How does that play into reaction time and defender decisions?
We just bombed a country without congressional approval. If we really, as a federal government, wanted to take a quick reaction to a threat actor in cyber, we’d do it. We're not. Let’s call that spade a spade first.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Second, I don’t think we should have the ability to fire from the hip and not ask for permission, right? I do think asking for permission is important. Oversight is very important.
There is a hell of a lot of bureaucracy, and the people paying for it are not the largest companies with unlimited budgets and unlimited staff. The people paying for it are the businesses that are the backbone of our economy that don’t have access to unlimited talent, or have limited budgets, or people overworked and underresourced.
This starts with decisive leadership that’s willing to take a more firm stance—and that might mean some imperfection. I think it starts with our new secretary of defense. We’ve talked about returning to the warrior ethos of the military. I would like to see that warrior ethos extend to how public and private collaborations in cyberspace help arm and protect, whether it’s any democratic Western government, let alone the citizens behind it. I think this is something that we really need to consider if we want to keep our edge over cybercrime.
When you look at the state of the last decade in public-private efforts to push back on cyber threats, where do you see us headed? How does the danger of attackers manifest itself?
The next 10 years are going to require better collaboration, better automation, and, to be honest, more reactivity with urgency, even better proactivity or getting ahead of these threats before they happen.
There’s a lot of infrastructure, bureaucratic overhead, a lot of really hard things. Who do you get a hold of if you find a hacker doing this? Do you call the FBI? Do you call the internet cybercrime center? Do you call DHS? Do you call CISA? Do you call the NSA, the CIA? We have to figure it out because the one thing that threat actors have is they’re very small. They’re very agile, and they don’t have the same overhead of the system.