U.S. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger speaks during a White House press briefing on March 21, 2022 in Washington. (Photo by Alex Wong/Getty Images)

The federal government and private sector have done a better job of banding together to work on cybersecurity issues over the past few years, but there remains real gaps in the way agencies promote secure technology through their purchasing, support small businesses, and ensure basic cyber protections are being implemented in the public and private sectors.

Those are some of the main takeaways from a report released this week by the Center for Strategic and International Studies, which draws on research and two roundtable discussions the non-profit think tank hosted with high-level government and private sector executives.

The discussions (held via Chatham House rules, which grant pseudo-anonymity to participants) reveal a more closely aligned relationship between government agencies, who largely lack visibility over the mostly private-owned IT infrastructure where the lion’s share of hacks occur, and industry where executives can often benefit from the latest insights about threat actors and hacking campaigns gleaned from intelligence gathering.  

In particular, a number of participants praised the stand up of new public-private “nerve centers” like the Joint Cyber Defense Collaborative housed at the Department of Homeland Security, as meaningful contributions to the burgeoning public-private sector partnership on cybersecurity.

Eugenia Lostri, an associate fellow with the Strategic Technologies Program at CSIS and primary author of the report, told SC Media that the JCDC was “mentioned as definitely a positive development signifying change” in the way cybersecurity incidents are handled across the public and private sectors.

“The comments that we heard were overall very positive to how that had been conducted and there seems to be a lot of recognition about how the federal government conducted itself and communicated with the private sector,” Lostri said.

While it has only been around for less than a year, the JCDC has already been utilized to respond to a range of high-profile threats, including the Log4j vulnerabilities and increasing digital resilience for U.S. organizations in the wake of the Russian invasion of Ukraine. Such centers are intended to go beyond mere information sharing of static indicators and are more akin to forming a joint task force between government and industry to respond to emerging cyber threats and push out fixes at speed and scale.

However, while real strides have been made in the way these entities communicate, both sectors are still struggling to normalize baseline protections that are routinely exploited by malicious hacking groups. If the discussions revealed a closer working relationship between the federal government and industry, they also reveal that both are failing to implement cyber hygiene measures for their IT environments, with statements like “too many organizations — public and private — are falling short in basic things” and “basic mistakes are being exploited.”

“The need to improve cyber hygiene came up repeatedly — it’s not that organizations don’t know what to do to achieve better cybersecurity, it’s that many still aren’t doing it — but there was a recognition that market incentives may not always align with hygiene,” the report noted.

Many organizations still put little-to-no strategy behind their patching practices, attempting to update anything and everything in their environment and winding up with long backlogs and patching fatigue. Small changes, like identifying and prioritizing deeper patching for high value assets and data, can sometimes help move an organization further ahead in its cybersecurity journey.

The federal government, for its part, has embarked on an ambitious plan to implement a range of zero-trust security strategies across government, but agencies still largely don’t have a handle on all the devices and users connecting to their networks, or have multi-factor authentication and logging implemented on those devices. These elemental aspects of cybersecurity must be tackled well upstream of efforts — like implementing endpoint detection and response or microsegmentation — that are currently underway.

Government could also do more to wield its considerable purchasing power to push higher security standards in the products and technologies it uses, which can in turn influence not just contractors but the broader private market when it comes to how security is baked into products.

The report notes that the federal government spends between $14.4 billion and $20 billion on cybersecurity every year, and recent legislation like the bipartisan infrastructure law is expected to pump billions of additional dollars into the cybersecurity ecosystem. That spending presents an “opportunity to build incentives” for the private market, and it’s something that officials like White House cyber czar Anne Neuberger have posited, as well.

Small businesses in particular tend to have the worst of both worlds: both highly targeted by criminal and nation-state hacking groups, while often lacking the kind of resources or reach that might make them a higher priority for government assistance.

“There was a lot of talk about how to recognize, that [small and medium size businesses] are left out of in the cold,” in these discussions, Lostri said. “There was a lot of discussion about ways in which we could develop incentives or resources, not just from the federal government but also bigger firms.”

While programs like CISA’s Cyber Essentials provide a variety of resources and guidance that are geared specifically to small business, more incentives are needed to raise up the security posture of this core segment of the American economy. In addition to leveraging its purchasing power to drive better product security, the report recommends a more robust role generating governmental “seals of approval” for trusted or secure products that businesses can draw from.