Fostering open information exchange, aligning incentives, and fixing responsibility.
The whole-of-nation approach to cybersecurity: a state-level perspective.
Maryland Governor Larry Hogan opened yesterday’s 2021 Annapolis Cybersecurity Summit by expressing confidence that all levels of government and all private organizations would be able to find common ground in arriving at a workable, whole-of-nation approach to cybersecurity. The participants generally agreed, and saw aligning incentives and assigning responsibility as keys to effective cooperative security.
A Federal view: fostering cooperation at home, and imposing costs on foreign adversaries.
The morning's first panel, "A Federal Perspective: Setting a National Cybersecurity Agenda," was described as "A conversation on the national salience of cybersecurity, federal initiatives, and federal-state partnerships." Moderated by Dr. Freeman Hrabowski (President, University of Maryland, Baltimore County), the participants included Anne Neuberger (Deputy National Security Advisor, Cyber & Emerging Tech at National Security Council), Representative John M. Katko (Republican, New York 24th, Ranking Member on the House Committee on Homeland Security), George C. Barnes (Deputy Director and Senior Civilian Leader, National Security Agency), Herbert J. Stapleton (Deputy Assistant Director, Cyber Division, Cyber Operations Branch, Federal Bureau of Investigation), and Admiral Dennis C. Blair, US Navy, Retired (Former United States Director of National Intelligence).
Neuberger began with an overview of recent Administration initiatives in cybersecurity, including this week's National Security Memorandum on cybersecurity for critical infrastructure. The importance of collaboration runs through these as a common theme. She mentioned some Congressional initiatives, notably the pending EARN IT Act, as promising steps.
Others discussed the current threat landscape, and the ways in which the Government sought to manage risk in that increasingly challenging space. Representative Katko hoped to find ways of discouraging ransomware payments, Stapelton reiterated the FBI's encouragement of information sharing: the FBI and its partners are committed to helping victims of cyberattack. Victims shouldn't hesitate to report incidents. And Barnes warned that we're at a crucial point in our country's history, facing active and aggressive adversaries in cyberspace: Russia gives its criminals freedom to steal at will, and China not only directly uses criminals, but permits them to profit on the side.
Admiral Blair made three points about fixing responsibility, a challenge that he sees as connected to establishing proper liability. Convenience is too often at odds with security. He sees, first, a general lack of industry accountability for shoddy software, "the junk we now often use." And second, the Government needs to set an example here, fixing its own "shoddy, buggy systems." And third, he advocates forming a "network of networks for cybersecurity."
The view from the states: the importance of fostering cyber business development. (And, "buy local.")
The summit's second panel, "A State Perspective: Building a Cybersecurity Ecosystem," was intended to be "A conversation on state-level cybersecurity initiatives, collaborations, successes, and challenges." Many of those initiatives and challenges involve fostering the growth of a healthy, creative, cybersecurity business community. Timothy Blute (Director, Center for Best Practices, National Governors Association) moderated the session. The panelists included Governor Larry Hogan of Maryland, Governor Asa Hutchinson of 11:35 AM Panel 3Arkansas (also chair of the National Governors' Association), Governor John Bel Edwards of Louisiana (also of the NGA Resource Center for State Cybersecurity), and, from the private sector, Ron Gula of Gula Tech Adventures.
All the governors expressed a commitment to interstate cooperation as well as collaboration with the Federal Government and the private sector. They all described the importance of education for building an adequate cyber workforce.
Gula offered some advice for the states on how to help develop the kind of ecosystem that would support security. If you want to build a cyber industry in your state, he said, "Buy local," and foster opportunities for startups. Businesses look for opportunity zones, and indeed anything that makes it easier for startups to raise funds. He encouraged those at the summit to think about different ways of explaining cybersecurity, perhaps by describing it as "datacare" on the analogy with healthcare. Such fresh explanations might help draw more talent into the industry.
The view from the private sector: innovation in the service of security.
The final session, "A Private Sector Perspective: Championing Innovation and Collective Defense," was described as "A conversation on public-private partnerships and the importance of holistic strategies for strengthening cybersecurity." Moderated by Dean Keith Bowman (College of Engineering and Information Technology, University of Maryland Baltimore County), the panel included General Keith Alexander, US Army, Retired (Founder, Chairman & Co-CEO, IronNet), Daniel R. Ennis (Executive Director of the University of Maryland Cyber Initiative and CEO of DRE Consulting), Kevin Perkins (Senior Vice President and Chief Security Officer, Exelon), Dr. Mohan Suntha (President and CEO, University of Maryland Medical System), Dr. Phyllis Schneck (Vice President and Chief Information Security Officer,Northrop Grumman), Tina Williams-Koroma (President and CEO, TCecure), and Robert Lee (Chief Executive Officer, Dragos).
All expressed a commitment to cooperation for defense. They favored imposition of costs on bad actors, and agreed that everyone needs to know what aspects of security they're responsible for.
General Alexander made two points in particular. First, the experience of the COVID-19 pandemic showed, clearly, the importance of state governments in the US system. They bear a comparable importance in cybersecurity. Second, "We should all be concerned about increasingly harsh rhetoric from official China." Chinese cyberespionage represents a "huge threat," responsible for the transfer, he said, of about $500 billion in intellectual property annually. Russia is a comparably dangerous threat. We need to be able to retaliate effectively against such adversaries. And such retaliation is properly a Federal responsibility. But collective defense, including appropriate retaliation, depends upon prompt sharing of information so that we can build an accurate common operational picture.
Robert Lee closed the session by arguing that government should "say why and what, but not how." The electrical power sector has done this, and done so effectively. A more prescriptive environment, Lee said, would not have permitted such positive development. He contrasted this approach with TSA's recent pipeline cybersecurity directive: telling companies to patch within thirty days is "absurd." Patching in these environments isn't simple, and doesn't lend itself to this kind of direction. Better to encourage effective patch management than to push checklist compliance on an industrial sector.