Cooperation, both public-private and interagency.

Summary

By the CyberWire staff

At a glance.

The importance of public-private cooperation in the US National Cyber Strategy.
Top DoD information security executive says collaboration is key.
US HHS CIO highlights importance of cyber coordination in health sector.

The importance of public-private cooperation in the US National Cyber Strategy.

This past March the US government released its much-anticipated National Cybersecurity Strategy, and one of the document's main messages is that the country’s cybersecurity cannot be left to just a few to solve, but must be a cooperative effort. In an article in the Federal Times, Zscaler’s vice president and chief compliance officer Stephen Kovac emphasizes the need for this collaborative approach and underscores the roles that the government and private industry must play in order to strengthen the US’s cyber defenses. Kovac notes, “The NCS acknowledges that our cybersecurity posture and supply chain are too complex and important to be left to any single business, government agency, person, or organization. It is intended to disrupt threat actors and their methods – such as ransomware, a borderless cyber crime requiring international cooperation to combat.”

Kovac calls on the federal government to support and invest in the private sector in researching and developing new tech to detect and address cybersecurity threats. And the private sector should work to improve supply chain security by adhering to government guidelines, incorporating a secure-by-design approach, and hiring and training employees with cybersecurity knowledge. As well, they should devote resources to advanced security measures like zero trust and share best practices and new developments with the government so they can be passed on to other organizations. Of course, these efforts will require additional resources. While government funding from the Technology Modernization Fund (TMF) and State and Local Cybersecurity Grant Program is on its way, in the interim companies should prepare by identifying their security needs, applying zero-trust best practices, and making the most of free resources made available by the Cybersecurity and Infrastructure Security Agency.

Top DoD information security executive says collaboration is key.

Staying in the US, the Department of Defense (DoD) reports that Principal Deputy Chief Information Officer Leslie A. Beavers spoke at a recent FedTalks speaker series, and she, too, emphasized the importance of collaboration across government and industry in achieving America’s cybersecurity goals. She said that the inherent dangers of the current digital landscape present a "whole of government, almost whole of society threat," one that “requires everyone to be a part of the solution.” She went on to note that the DoD is already involved in several initiatives focused on cybersecurity, including the implementation of a zero-trust framework. Last year the DoD released a cyber strategy plan that incorporated cultural adoption, security and defense of DoD information systems, technology acceleration, and zero trust enablement, and Beavers also highlighted the need for retaining top-notch cybersecurity personnel. Beavers added, "The Department of Defense, as large as it is, is heavily reliant on civilian infrastructure and companies as well as other government organizations. It's a journey that we have to go on together."

We heard from Ted Miracco, CEO of Approov Mobile Security, who in an email welcomed the emphasis on cooperation. “State-sponsored cyberattacks from adversaries like China and Russia are a major component of the emerging threats facing the US defense industry and government. Countering these threats requires even greater information sharing and collaboration between the US government and private sector cybersecurity companies. The initiatives underway at DOD are an important piece of confronting this complex challenge as it isn't just a defense problem, it can impact both national security and the economy. It's encouraging to see cybersecurity leaders like Beavers emphasize the role everyone must play in this effort.”

Jason Keirstead, VP of Collective Threat Defense at Cyware, also wrote to praise the emphasis on collaboration. “I'm glad to see the DoD's focus on collaboration. It's arguably one of the most important areas that can produce tangible cybersecurity improvements. When we consider the expansive and complex nature of the Defense Industrial Base (DIB), the most basic and effective countermeasure that we can deploy against the adversary is to more rapidly develop and deploy our response. Collective defense enables trusted collaboration inside and outside organizations, allowing the DoD and the DIB to work together to accelerate these initiatives, reducing the attack surface an adversary has to work with.”

US HHS CIO highlights importance of cyber coordination in health sector.

At the Billington Cybersecurity Summit held in Washington last week, chief information officer for the US Department of Health and Human Services (HHS) Karl Mathias spoke about how the HHS’s Health Sector Cybersecurity Coordination Center, or HC3, has bolstered information sharing. He stated, “We cannot be scared of sharing the data we have. We can’t let fear of the security issue prevent us from solving the problem.” Created in 2018, HC3 was the response to Congress’s concerns that HHS needed to improve its collaboration efforts with healthcare and public health sector partners, Nextgov.com explains. Matthias says the HHS is now driven by the motto, “Share as much as you can, recognize when you should and apply the cybersecurity principles to that data.”

Selected Reading

Re-Envisioning the Cyber Domain for Deterrence (The Strategy Bridge) By adjusting our paradigm for understanding the threats and opportunities in cyberspace, the United States can incrementally build cyber deterrence to shift the balance toward stability. States will still develop and exploit vulnerabilities. However, the proliferation of simple cyber tools for crimi

Polish Senate says use of government spyware is illegal in the country (TechCrunch) A Polish Senate commission concluded that Poland government's use of spyware made by NSO Group was illegal and influenced the 2019 elections.

As China steps up cybersecurity enforcement, smaller businesses feel the heat (South China Morning Post) Authorities have begun warning small business owners to improve their data security measures, or face penalties.

Amid shutdown anxiety, federal agencies are running up against an IT security deadline (Nextgov.com) While budget negotiations play out on Capitol Hill, federal agency CIOs are also on the clock to ensure the bulk of their information technology is reported through the CDM program.

Sleight of hand: How China weaponizes software vulnerabilities (Atlantic Council) China's new vulnerability management system mandates reporting to MIIT within 48 hours, restricting pre-patch publication and POC code. This centralized approach contrasts with the US voluntary system, potentially aiding Chinese intelligence. MIIT shares data with the MSS, affecting voluntary databases as well. MSS also fund firms to provide vulnerabilities for their offensive potential.

Meet the Facebook lobbyist-turned-lord fighting Britain’s encryption crackdown (POLITICO) Richard Allan — and a host of tech execs — are working to thwart rules that could see encrypted messenger apps monitored.

New strategy for global cybersecurity cooperation coming soon: State cyber ambassador (Breaking Defense) “The war in Ukraine has cast a very dark shadow,” ambassador-at-large Nate Fick said – but the “silver lining” is a new seriousness about public-private cooperation against global cyber threats.

Achieving the National Cyber Strategy hinges on joint collaboration (Federal Times) Recent research shows a 37% increase in global ransomware attacks, with the U.S. as the most affected country.

Amid shutdown anxiety, federal agencies are running up against an IT security deadline (Nextgov.com) While budget negotiations play out on Capitol Hill, federal agency CIOs are also on the clock to ensure the bulk of their information technology is reported through the CDM program.

HHS looks to improve cybersecurity coordination (Nextgov.com) The agency is utilizing a relaunched cybersecurity coordination center and additional programs to significantly ramp up interactions with key partners, a top official said.

Senators want a special government unit to help small businesses with cyberattacks (SC Media) A quartet of senators introduced The Small Business Cyber Resiliency Act that would establish a new Central Small Business Cybersecurity Unit within the Small Business Administration.

White House Privately Rejects Congress’s Demand for New Crisis Plan for US Economy (Exclusive) (The Messenger) Lawmakers wanted a single comprehensive blueprint for stabilizing daily life amid a massive cyberattack or other emergency. The Biden administration says that’s unnecessary

Don’t buy intel community spin on Section 702 (The Hill) Former attorneys for the National Security Agency and other parts of the federal intelligence community are busy warning members of Congress about the grave dangers of surveillance reform.

House Lawmakers Raise Concerns on SEC's New Cybersecurity Disclosure Rules (Executive Gov) Looking for the latest Government Contracting News? Read about House Lawmakers Raise Concerns on SEC's New Cybersecurity Disclosure Rules.

New SEC Rules Push Cybersecurity to the Top of the Inbox (Nasdaq) If you had the U.S. Securities and Exchange Commission on your bingo card for shaking up the cybersecurity sector this year, congratulations!

Ohio Air National Guard’s 179th Airlift Wing Redesignated as Cyberspace Wing (The 1014) Ohio Air National Guard’s 179th Airlift Wing Redesignated as Cyberspace Wing - The 1014