The new National Cybersecurity Strategy calls for strong public-private partnerships to improve national security and advance innovation that protects critical systems and data. The Department of Defense (DoD) is well down the path of working with industry and coalition partners to achieve interoperability and mission success. MeriTalk recently sat down with Essye Miller, former DoD deputy chief information officer for cybersecurity, former acting defense chief information officer, and board member for Axonius Federal Systems, and Tom Kennedy, vice president, Axonius Federal Systems, to talk about what successful public-private partnerships look like, lessons learned from past partnership experiences, and how industry and government can come together effectively to work towards common goals that advance the nation’s cybersecurity.
MeriTalk: As the DoD’s deputy chief information officer for cybersecurity and acting defense chief information officer, you were tasked with coordinating cybersecurity standards, policies, and procedures with other Federal agencies, coalition partners, and industry. What were your successes and challenges in this effort? Did you feel like you achieved true partnership with coalition partners and industry?
Miller: The DoD has historically partnered with coalition and industry partners. Looking back specifically at the work I was involved with, when we developed the cybersecurity standards for public key infrastructure, which is the framework that enables users and servers to securely exchange information using digital certificates, we partnered with the Five Eyes Intelligence Oversight and Review Council to get feedback that helped ensure the standards met universal needs and expectations. The DoD also collaborated with industry on this initiative to help guide the technology development that would be the foundation for public key infrastructure.
One of the biggest challenges the DoD faces with partnerships, especially with data usage and protection initiatives, is the government culture or mindset to be cautious of accepting commercial support in certain missions. For example, when we migrated from user IDs and passwords to log into the network to technology that used a single token, which was the genesis of the Common Access Card that everybody uses today, there was pushback because of the data being stored on the card. New technology and new processes often generate some level of pushback, but I think that is just human nature.
Kennedy: To echo what Essye said, the DoD has been building public-private partnerships for some time. As new technologies emerge, there’s always some resistance – which makes sense given the sensitivity of the mission – but that changes over time and with concerted effort from private industry to secure new technologies and continue to build trust.
When it comes to cyber, we are seeing that resistance to partnerships wane, with defense and intelligence agencies being more receptive to working with the vendor community to solve problems together because together the work can be done faster and more effectively, all while maintaining security.
MeriTalk: Thinking about joint initiatives across service branches, were your partnerships able to break down data and communication silos? If so, how?
Miller: In this era of growing cyber threats and cyberwarfare, there is a push to break down data and communication silos across military departments and defense agencies to support national security. One important initiative that achieved this was ADVANA, which was developed to support the Financial Improvement and Audit Readiness (FIAR). ADVANA is the DoD’s data analytics tool and big data platform that pulls data from many business systems across the Department to make data discoverable for FIAR reporting. Making data accessible and available is imperative for successfully executing business and operational missions.
MeriTalk: What does a good public-private partnership look like within the DoD?
Miller: Effective partnering really comes down to communication, transparency, and a clear understanding of requirements. A good example of effective public-private partnerships is how the DoD and industry partnered at the outset of the COVID-19 pandemic. When our personnel suddenly transitioned to remote environments, we didn’t have the capabilities to immediately support the demand for laptops, bandwidth, phone lines, etc. The ability to collaborate remotely was both new and critical to the department. DoD and industry came together in a moment of crisis with a clear understanding of what was needed to keep personnel working in a new environment.
Kennedy: I’ll share another example of why communication and close collaboration are critical for partnership projects to be successful. Axonius Federal Systems worked on a project with the Defense Innovation Unit (DIU) to improve the comprehensiveness, speed, and accuracy of its cyber asset inventory management across its networks. They set clear, actionable milestones during the prototype stage, which involved us proving the functionality.
The Defense Information Systems Agency (DISA) followed the prototype development, and when we moved into pilot, asked us to expand what we built for DIU for their DISA systems. We collaborated with DISA’s teams as we worked through each pilot task, and because their teams were collaborating with us as we built the technology in their environment, it is now reusable across the DoD. This project would not have been successful or easily replicated without open communication, clear requirements, close collaboration, and access to DISA’s environment.
MeriTalk: As agencies increasingly seek to adopt emerging technologies such as artificial intelligence (AI) and machine learning to meet mission objectives, are they more open to public-private partnerships to achieve their objectives?
Kennedy: AI and machine learning are the latest innovative technology trends that the government is trying to get their arms around. Several years ago, the latest innovative technology was zero trust. The government saw the value – really the need – for zero trust architectures, and rallied agencies and industry around developing and implementing the technology through policies, mandates, and guidelines.
Joint public-private collaborative groups were established to create best practices, advise on technology development, and share cyberthreat information. Everyone – government and industry – got behind the cybersecurity problem and the zero trust solutions to achieve common goals. I see the development and adoption of AI and machine learning following a similar path. So yes, because of that recent experience with zero trust, the government is more open to public-private partnerships with these emerging technologies.
Miller: We already see this type of collaboration with the emergence of the Joint Artificial Intelligence Center and now the Chief Digital and Artificial Intelligence Office. It’s an example where the government leaned forward to engage industry, as we knew the technology was evolving and there would be an impact and benefit to meet mission needs.
MeriTalk: What are agencies gaining from these public-private partnerships, and conversely, in what situations might they be hesitant to partner?
Kennedy: One of the primary benefits is speed to delivery. Agencies can adopt technology faster with a lower risk through public-private partnerships. They also have access to best practices to guide the project at each stage.
Miller: Government is sometimes hesitant to partner when an initiative involves national security, and rightfully so given the classification levels. The public-private partnerships offer opportunities to explore emerging technologies and take advantage of the lessons learned.
MeriTalk: How can agencies overcome hurdles to public-private partnerships? How can industry help?
Miller: Industry partners should be open to piloting their capabilities to showcase what their technology can do, which gives the government an opportunity to access cybersecurity and risk implications without large upfront investments. On the other hand, government employees should continue to embrace the agility authorities like Other Transaction Authority, or OTAs, provide to pilot commercial technologies that enhance mission effectiveness.
Kennedy: We’ve seen a shift in the market; now, many next-generation vendors are willing to engage in pilots. The shift to subscription-based pricing models has also been a huge benefit. The government doesn’t have to make a long-term commitment, they have more control over their spending, and they can be more agile in their technology adoption.
MeriTalk: The new National Cybersecurity Strategy (NCS) has a significant focus on public-private partnership and coordination. Does it signal a shift in how government approaches public-private partnerships?
Miller: I don’t think it signals a shift in relationships; it signals a shift in responsibility. Government agencies have always been held responsible for reporting cyber incidents and the impacts those incidents have on the mission. The NCS increases the accountability of industry partners when it comes to cyber incidents so government can assess potential impacts. An example of what this looks like is the Defense Industrial Base Cybersecurity Forum. DoD invites companies to quarterly sessions where they share threat indicators and discuss cyber trends in a transparent way.
Kennedy: To support more transparent sharing, industry is looking for government to create a safe space to report cyber incidents because of the effects that information sharing could have on their bottom line. Industry and government need to work through this issue to achieve the information-sharing goals of the NCS.
MeriTalk: How does Axonius approach public-private partnerships?
Kennedy: Public-private partnerships are key to improving the nation’s cybersecurity defenses. Axonius’s approach is based on in-depth collaboration, where we receive and share information clearly and consistently throughout every stage of the project, which is the path we followed with the DIU project and others. Not only did close collaboration allow us to deliver technology that could be replicated across the DoD, but we also created the training modules and standard operating procedures and got the network certification and the authority to operate so we could deliver a complete package. Axonius takes a long-term approach to collaboration, sharing best practices and lessons learned from deployments to keep our partners advised of anything we are seeing.
MeriTalk: What advice do you have for government and industry when they are thinking about engaging in public-private partnerships?
Miller: In order to provide value to the government, it’s critical that industry partners truly understand the requirements and challenges that government faces. You hear government leaders often repeat this advice to industry: Do your research, know the priorities and environment of the government agency you’re engaging and where you have technology or capability to enhance or advance their mission. This sounds basic, but it is sometimes overlooked by some companies that want to collaborate with government.
Kennedy: To grow the collaborative spirit that underpins public-private partnerships, both industry and government should get involved with joint forums. The American Council of Technology-Industry Advisory Council (ACT-IAC) is a nonprofit entity where government and industry come together in a safe space to collaborate. The group has developed white papers and best practice documents on a wide range of topics. By getting involved in joint forums or groups like ACT-IAC, you can really learn what issues the other side is facing, which will help you not only communicate better, but also develop tools that will really solve problems.