Government and industry leaders have long hailed the importance of public-private partnerships, but they can pose challenges in the cybersecurity realm because the nation’s defense is involved.
Traditionally, says former Department of Defense (DoD) deputy chief information officer for cybersecurity Essye Miller, “government is sometimes hesitant to partner when an initiative involves national security, and rightfully so given the classification levels of information involved.”
Miller, who is now a board member for Axonius Federal Systems, added in a recent interview with MeriTalk that while DoD has historically worked with coalition and industry partners, “the overall government culture or mindset is to be cautious of accepting commercial support in certain missions, especially when there is no transparency on the company’s cyber posture”
In this era of growing cyber threats, Miller and other experts said that hesitancy is melting away. The Biden administration’s recent National Cybersecurity Strategy cites partnerships 12 times as vital to cybersecurity, including a call to forge alliances with academia, manufacturers, and technology companies to support research on cyber risks in emerging technologies.
Miller pointed to a number of successful public-private cyber partnerships involving DoD and the intelligence community, including an alliance with the Five Eyes Intelligence Oversight and Review Council to garner important feedback for officials developing the cybersecurity standards for public key infrastructure.
Other agencies in the cyber arena are forging successful partnerships as well.
The heightened threat level, a top National Security Agency (NSA) official recently explained, makes information sharing between the public and private sectors even more crucial. Morgan Adamski, chief of the NSA’s Cybersecurity Collaboration Center, said the agency is focusing more on sharing information with the more than 300,000 Defense Industrial Base companies in support of real-time defense.
“It is an investment in terms of, we’ve got to put skin in the game from an [NSA] perspective, just as the industry has to put skin in the game in terms of talking about what they’re seeing on their networks and what they’re tracking,” Adamski said.
At the Department of Homeland Security (DHS), officials say public-private partnerships are key to ensuring the success of several current initiatives designed to help U.S. critical infrastructure providers reduce cybersecurity risks. Among them are the cybersecurity performance goals unveiled in October by DHS’s Cybersecurity and Infrastructure Security Agency (CISA).
The goals, applicable across 16 DHS-designated critical infrastructure sectors, are aimed at helping critical infrastructure owners and operators prioritize and set a foundation for key security measures.
“Whether we’re doing security directives or whether we’re doing the performance goals, we do them hand in hand with industry,” Iranga Kahangama, assistant secretary for cyber, infrastructure, risk, and resilience at DHS, said during a December webinar.
CISA says public-private alliances are “the lifeblood of what we do. Information sharing and cooperative action – across both public and private sectors – is essential to our goal of raising the nation’s collective defense.”
Experts and practitioners say partnerships are on the rise because they work. Recent research from RSA and MeriTalk found that close public-private collaboration between the government and the private sector has helped organizations to proactively respond to cyber threats.
The findings, based on input from 100 Federal and 100 private sector cybersecurity decision makers, showed that 90 percent of those surveyed view public-private partnerships as a “force multiplier” in cyber resilience.
At DoD, the Defense Innovation Unit – which focuses on accelerating the adoption of commercial technology for national security – worked on a project with Axonius Federal Systems to improve the comprehensiveness, speed, and accuracy of its cyber asset inventory management across its networks.
Axonius Federal Systems Vice President Tom Kennedy said the Defense Information Systems Agency (DISA) liked the prototype so much that that it asked Axonius to expand it for DISA systems, which provide a global infrastructure for information sharing and communication across DoD. The technology is now reusable across all of DoD.
“Public-private partnerships are key to improving the nation’s cybersecurity defenses,” Kennedy said. “… When it comes to cyber, we are seeing that resistance to partnerships wane, with defense and intelligence agencies being more receptive to working with the vendor community to solve problems together.”