The combined response of the Federal government and the private sector to the Russia-based cyberattack of government and business networks via SolarWinds Orion software is making for a promising use case for addressing major incidents in the future, said Federal Chief Information Security Officer (CISO) Chris DeRusha on April 22.
Speaking at the Billington Cybersecurity Defense Summit, the recently installed Federal CISO was asked about how the private sector and government can cooperate more effectively to create better security. His starting point for that answer: “Our shared mission is managing risk in the digital age.”
(Hear more from DeRusha on May 12 at MeriTalk’s CDM Central – the Age of Cyber Defenders virtual conference, where he is set to offer the Government Keynote address.)
“If you think about that, society hasn’t really unpacked fully what types of risks we’re facing, what that means for our national economic security, and how we’re really going to optimally organize to address those risks between government and industry,” he said.
“So in a lot of ways, we’re learning to do this risk management in this new era together,” DeRusha said. “What does that mean for how we’re going to work together? I think that means industry and government need to partner closely so that we can educate, not just the American public, but our workforces, and help them understand the challenges and responsibilities.”
Positively for future efforts, he credited close cooperation between the government and private sector in responding to the SolarWinds hack, saying those efforts form a “really important use case” for future efforts in addressing national security risk. Since news of the attack broke late last year, the scope of the hack has been reduced from a worst-case view of about 16,000 entities victimized, to a number closer to 100, including nine Federal government agencies.
That cooperation between industry and government, DeRusha said, came about “in a way that I’m not sure I’d seen before … this was really pretty deep, rich collaboration working across silos, sharing threat information in real time. That was really in full effect. I want to think about how do we bottle that, and how do we … as we’re moving forward our public-private partnerships remember this lesson.”
“We would not be this far along in our recovery efforts if we hadn’t had that information sharing between industry and government,” the Federal CISO said.
“We’ve got to work together and figure out how to share the information quickly, and then coordinate response efforts as we go forward,” DeRusha emphasized. “It’s really the only way we’re going to be successful with the new types of threats we’re facing.”
Growing Federal Cyber Team
Elsewhere during his remarks, DeRusha discussed the wide scope of his involvement with many areas of government, including frequent contact with the White House National Security Council staff, Deputy National Security Advisor Anne Neuberger, agency security chiefs via the CISO Council that he heads, along with the Federal Acquisition Security Council, which he chairs and is focusing on supply chain risk issues.
DeRusha said he also sits in with the Federal CIO Council, as he’s “trying to make sure I’m keeping a pulse on broader IT priorities and challenges … often these are different sides of the same coin.”
“I’m also looking forward to working with the newly created Office of the National Cyber Director (NCD),” he said. “I think the NCD could add some really fantastic capacity and a strategic lens and have a kind of immediate impact. A lot of players here have got their role, and our job is just to coordinate well and work well together.”
Pitching Security ROI
Finally, DeRusha said that cybersecurity leaders have to focus on creating compelling investment cases for improving security, in order to secure wide stakeholder support and resources for getting that job done.
“We as IT and security professionals have got to get really good and be compelling about how we’re communicating” security risks, “and then the investments that are going to be engaged, to all of the stakeholders that need to kind of get this message,” DeRusha said. Those stakeholders, he said, include members of Congress and Federal agency leadership including chief financial officers, among others.
“We’ve got to do a better job of explaining the ROI (return on investment)” into better security, he said.
“I’m not going to pretend like there’s some easy answer that everyone’s missing, there’s not, but I think we’ve got to focus on that and help each other and share lessons on when we’re really figuring out how to be compelling.” He added, “That’s the type of sharing I really like to see more, not just technical sharing.”