The nation’s path to sustainable cybersecurity improvement lies in improving technology security by design, and achieving better communication between industry and government, said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), during an address today at the CES 2023 technology conference in Las Vegas.
Easterly emphasized the need for a fundamental shift in how government and industry work together in order to get more persistent collaboration.
The private sector owns and operates a majority of the U.S. critical infrastructure, so partnerships between the public and private sectors are essential to sustainable cybersecurity. But often times, she said, that necessary heightened level of communication only exists when emergencies arise.
“We need to transform how government and industry work together to persistent collaboration, not this sort of episodic, unidirectional, non-transparent, non-responsive relationship that we have between government and industry,” Easterly said.
Easterly also explained that more persistent collaboration between private sector organizations on their own also is critical in the effort to build out more sustainable cybersecurity.
CISA, Easterly said, has stood up several councils to lead a coordinated effort between government and private sector critical infrastructure partners to enhance the security and resilience of the nation’s critical infrastructure. Those include the Critical Infrastructure Partnership Advisory Council, the State, Local, Tribal, and Territorial Government Coordinating Council, and the Federal Senior Leadership Council.
Beyond those collaborations, creating more sustainable cybersecurity also relies on technology companies creating technology that is secure by design and secure by default, because “we live in a world where the critical infrastructure that Americans rely on every hour of every day … is underpinned by a technology base.”
“We don’t seem to be recognizing that is a fundamental safety issue,” the CISA director said.
“We’ve somehow accepted that the incentives are all aligned toward cost capability, performance, and speed to market and not safety,” she said. “We’ve accepted that software is developed with all kinds of vulnerabilities and flaws. We’ve accepted that cybersecurity is the purview of the IT people that may not have the influence.”
Instead, Easterly said there must be an “evaluation of the technology products that we will use every day and how they are going to be designed to be safe,” and what security features are built into the product.
Currently, a lot of the responsibility for mitigating cyber risks is placed on the shoulders of consumers who may not understand or be prepared to handle that threat. Therefore, it all comes down to “how we build the technology to be as secure as possible out of the box, and that’s how we’re going to get to a world where we’re all safer since we’re all connected,” Easterly explained.
“Everything’s digitized, the critical infrastructure we depend on is all underpinned by a technology base. We have to come together and make changes to this and change the incentive structure for the safety of all of us,” she added.
The CISA director also pushed back against the idea that cybersecurity is the responsibility of IT teams. Rather, she said, enterprise leaders must understand and embrace that mitigating cyber risk is a matter of good governance.