The ways federal agencies can strengthen national cybersecurity were discussed in a keynote session on day two of the RSA Conference 2022.
Moderated by Bobbie Stempfley, vice president and business unit security officer, Dell Technologies, the session had contributions from three key personnel involved in the US government’s cybersecurity strategy: Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), John “Chris” Inglis, national cyber director, Executive Office of the President and Robert Joyce, director of the National Security Agency (NSA)’s Cybersecurity Directorate.
Inglis described the different roles the three represented entities play, stating that “it’s not half as complicated as it actually is.” The NSA provides important information to the private sector about threats and vulnerabilities, while CISA brings that information together to push it across a number of critical infrastructures. Inglis added: “My job as national cyber director is to sort out those roles and responsibilities to ensure that they all complement one another.”
Easterly highlighted how CISA has been growing since its inception in 2018, focusing on “building a cyber-capability for the homeland and critical infrastructure.” This naturally has to be a joint endeavor with the private sector. She noted that CISA has worked increasingly closely with Joyce and Inglis across their mission sets.
Joyce said one of NSA’s biggest attributes is its “capability to reach into foreign networks and understand the threats, and that is something that is used by CISA and other elements of the government to figure out where we can go to disrupt those threats.” Therefore, the agencies are “pulling our strengths across government and increasingly, with foreign partners as well.”
Inglis further emphasized this need for collaboration across government, stating that threat actors “have to beat all of us to beat one of us.”
The panel then discussed how this collaboration could be extended between the federal government and the private sector. CISA’s Easterly highlighted the work of the Joint Cyber Planning Office, bringing together the relevant federal government agencies with the private sector “to plan and operate together when it comes to cyber defense operations.” This began operating at the end of last year, with the first test case being the Log4j incident. She emphasized it is vital the federal government taps into the private sector, which often “has more visibility than we have.” This initiative has been extended since the war in Ukraine began.
For too long in cyberspace, there has been a “division of effort,” said Inglis. “Everyone defends their patch” even though “no one of them or us can defend ourselves against all perils.” He described how, on the eve of the Russian invasion of Ukraine, the US government provided rich, actionable intelligence to allies and private sector partners that were likely to be on the cyber front line. “There are some things we can only discover together that no one of us can discover alone,” added Inglis.
Joyce concurred that the private sector can offer hugely valuable threat intelligence but emphasized the need to create trust between all parties. To do this, “there has to be some formats and platforms to bring those together, sometimes in the town hall setting and sometimes in very small exchanges.”
Building on this theme, critical industries, such as finance and energy, “deserve an interface to the government that speaks their language,” said Inglis.
Easterley explained that CISA has worked to build specific communication and information sharing channels with different sectors, observing that “building trust is hard, breaking trust is easy.”
Inglis emphasized that only a collective effort can defend against increasingly sophisticated attackers. He noted that ransomware “is a syndicate operating against us, how can we respond with anything less?”
Dell Technologies’ Stempfley then asked the panel about the roles of individual entities within the collaborative landscape. Joyce said all organizations have a duty to detect and patch exploitable vulnerabilities. “That needs to be the base – everyone needs to get to that baseline and take care of the unlocked doors.”
We also need to focus on defining the roles and responsibilities of different organizations in the collective effort, according to Joyce. This includes helping protect small organizations that lack the capabilities to defend themselves. “What is the responsibility of government and the private sector so this person doesn’t stand alone in a skirmish with the cyber transgressors?”
Easterley added that “there are some not very complicated things we can do to protect ourselves at the individual level.” These include password hygiene, implementing multi-factor authentication and updating software.