As ransomware actors and foreign governments have increasingly targeted U.S. agencies, businesses and critical infrastructure over the past decade, federal officials and members of Congress have tried (mostly in vain) to foster better cooperation between industry and government on cybersecurity threats.
The logic justifying such cooperation has not changed: industry owns or controls most of the technologies that governments rely on, while only the U.S. government has the cybersecurity, law enforcement and intelligence resources required to fully understand the threat landscape. Neither have the visibility or tools to defend themselves against top-tier threats in cyberspace and each have a vested interest in working together and sharing resources and insights.
Inevitably, the end result of these efforts is usually another information sharing program or an idea for a new “nerve center,” where representatives from businesses and different agencies can come together, work on problems or threats in real time and execute a joint response.
As many businesses could tell you, it often doesn’t work out that way.
While Congress did pass legislation in 2018 creating the Cybersecurity and Infrastructure Security Agency specifically to act as the federal government’s cybersecurity broker with industry and civilian agencies, the public-private vehicles the new agency had in place at the time, like the National Cybersecurity Communications and Integration Center or Automated Indicator Sharing program, had experienced only tepid success. Not nearly enough to break down the barriers and turf wars that defined many cybersecurity problems.
Now, a new generation of government and industry leaders are hoping to learn from those past failures, most visibly with the new Joint Cyber Defense Collaborative, a cooperative center stood up earlier this year that seeks to "bring together public and private sector entities to unify deliberate and crisis action planning while coordinating the integrated execution of these plans."
That topline description sounds very similar to how federal officials have described entities like the NCCIC in the past, but this time around both they and industry are more eager to collaborate than in the past, and a larger cultural evolution in government has made many of the previous information silos around cybersecurity easier to overcome.
Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency, said her prior stint running global cybersecurity operations for Morgan Stanley gave her a window into how government collaboration efforts were viewed by the private sector. The picture was less than flattering.
“From the outside the government often looked disorganized, a little bit tribal, sometimes kind of competitive and not as coherent as we needed to be in order to have those relationships we needed to have with critical infrastructure to really defend the nation,” said Easterly while speaking at an Oct. 19 event hosted by The McCrary Institute at Auburn University.
The JCDC, which Easterly originally wanted to call the Advanced Cyber Defense Collaborative (or “ACDC,” one of her favorite bands) before agency lawyers shot it down, is supposed to be different. As to how, she and others made a distinction between past government initiatives -- where information sharing for its own sake was often treated as the primary goal – and what they call the “operational collaboration” model of the JCDC.
Past efforts at information sharing and collaboration between government and industry have traditionally suffered from low adoption by the private sector, or complaints from companies that they often aren’t given sufficient context to actually do something with the information they receive.
The JCDC has several things going for it that previous efforts did not. Firstly, it’s creation took place under a far different policy environment than previous “nerve centers” like the National Cybersecurity Communications and Integration Center. Today, both government and industry largely recognize that their digital security fates are intertwined and are thus more eager to work together and leverage each other’s respective strengths.
Secondly, the center was designed specifically with cooperation in mind, both by the Cyberspace Solarium Commission when it recommended the idea last year and by members of Congress, many of whom served on the commission and helped shape the proposal. One key difference: sharing information about threats is only viewed as useful to the extent that it can spur concrete action by one or more parties.
As NSA Cybersecurity Rob Joyce put it when discussing how the agency uses the JCDC to filter classified information into unclassified insights to share with other parts of the government and industry: “It’s very nice to know things, but it is completely useless if we don’t do things.”
Finally, the center treats public-public partnership, or cooperation between different parts of the government, as equally important to public-private collaboration in solving modern cybersecurity problems, addressing the sense of incoherence between in government that Easterly referenced and strengthening “the connective tissue” between agencies.
“This is something that CISA hosts but it’s really uniquely the power of the federal government, so NSA, FBI, CyberCom, DOD, ODNI, coming together with the magic ingenuity and innovation of the private sector to create a common operating picture of the threat environment, to plan and exercise against the most serious risks to the nation and then to implement coordinated plans to reduce that risk,” Said Easterly.