The Federal government’s push to improve the nation’s cybersecurity posture across the board has taken shape through numerous policies and actions, but none are more important than the ongoing goal of creating more responsive operational collaboration with the private sector, Federal cybersecurity leaders said on Oct. 28.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), explained that the private sector provides critical insight into risks that exist in cyberspace, and the services they need to defend against those risks.
“There is value in responsive operational collaboration with the private sector because they do play a critical role in ensuring we are effective in defending our nation against cyberattacks,” Easterly said during a roundtable session organized by the Department of Commerce.
An example of effective collaboration with industry is CISA’s recently released cyber performance goals (CPGs), Easterly said. The CPGs feature a list of information technology and operational technology cybersecurity practices that critical infrastructure owners and operators can implement to reduce the likelihood and impact of known risks and adversary techniques.
In addition to working with the National Institute of Standards and Technology (NIST), “we sought out feedback from Industry to ensure the goals covered a broad spectrum of needs and resembled industry needs and standards,” Easterly said.
“We set up a GitHub page where you can make further comments and then we’re going to be working across all sectors to lay out sector-specific goals. And I think that’s important. We have a common baseline now, but then digging into each of the sectors so we can continue to create that trust in technology,” she added.
Kevin Stine, chief of the Applied Cybersecurity Division at NIST, explained that the Federal government must equip “all organizations of all shapes, sizes, sectors, producers of technology, users of technology … with the resources they need to better understand, manage, and ideally reduce risk to acceptable levels for their organizations and increasingly to the nation.”
But doing this, he said, requires robust research and having the technical underpinnings in place to provide that solid foundation of standards and frameworks
Anne Neuberger, the deputy national security advisor for Cyber and Emerging Technologies, concurred with Stein, adding that one of the most important tasks in building a robust defense against cyberattacks is “the need for standards … determining what was critical and then rules for that to avoid the kind of software supply chain attacks that we’d experienced.”
Stine also explained that encryption is another priority for NIST, and another area where collaboration with industry will be important.
“When I think of what’s to come over the next ten-plus years, there’s going to be a lot of turbulence in the encryption space, certainly with post-quantum crypto … And while this occurs, we’re committed to collaborating with [Industry] to help organizations prepare for these eventual transitions,” Stine said.