Attacks against critical infrastructure, government institutions, private companies, and the foundations of U.S. democracy continue to succeed due to two fundamental reasons. First, nefarious threat actors innovate upon each other's work more than their victims collaborate. And second, the asymmetric cyber threat landscape necessitates more significant resources and expertise be allocated towards defense than offense.
Stated simply: it is easier to break things than secure them or repair them.
Adversaries ranging from sophisticated nation-state sponsored advanced persistent threats (APTs) to opportunistic cybercriminals neither discriminate between public and private sector targets nor are bogged down in the moralistic quagmires over the impacts attack campaigns might inflict on institutions, critical infrastructure or individuals. Quite the contrary often proves true: the potential significance of the impact is more likely to draw attackers than deter them. Though some adversaries directly collaborate with other threat groups and communities, more frequently they consistently improve their malware and attack paradigms through vicarious reinforcement. Cyberattacks succeed in a threat landscape that already perilously favors the offensive over the defensive because attackers innovate, operate, and target without the resource, organizational, and technical barriers that inhibit siloed stakeholders.
Public and private sector stakeholder collaboration, innovation, and thought leadership disrupts the adversarial attack chain, reverses vicarious reinforcement, and improves the security and resiliency of stakeholder systems.
As executive vice president of CRA's Community platform and founder and chairman of the Institute for Critical Infrastructure Technology (ICIT), a Washington D.C.-based 501(c)3 cybersecurity think tank, I have the privilege of working with some of our nation's top experts who sit at the intersection of cybersecurity, national security, and critical infrastructure resiliency. These leaders are keenly aware that a successful whole-of-nation response to APTs is predicated on the simple yet powerful idea that public and private sector collaboration supersedes that of our enemies.
Research-focused NGOs play a vital role in accelerating critical infrastructure resiliency by creating forums that unite fragmented stakeholders and siloed organizations to support a joint mission. Recently, CyberRisk Alliance partnered with ICIT on its annual gala and benefit to raise funds in support of its mission to defend our nation's critical infrastructure sectors and democratic institutions through objective, non-partisan research and educational initiatives tailored to policymakers, business leaders and technology innovators. This year's gala celebrated the accomplishment of the critical infrastructure cybersecurity community and honored three distinguished national security leaders committed to public-private collaboration:
- 2022 Pioneer Award: Jen Easterly, Director, Cybersecurity and Infrastructure Security Agency (CISA)
- 2022 Pinnacle Award: Kemba Walden, Principal Deputy National Cyber Director, Office of the National Cyber Director (ONCD)
- 2022 Impact Award: Col. Candice Frost, JIOC Commander, United States Cyber Command
During their remarks, these public sector luminaries lauded the role that research plays in effective public-private partnerships and the impact NGOs like ICIT have on the community. One need only look at ICIT's Fellow program, which consists of leaders including Tim Callahan (SVP/ global CISO Aflac and CRA Cybersecurity Collaborative Executive Committee member) and Malcolm Harkins (CRA board member), to see the value private sector executives place on public sector engagement.
The nation's safety, stability, and security depend on the resilience of U.S. critical infrastructure and the strength of its cybersecurity community. The success of vital critical infrastructure initiatives — those tied to software supply chain security, the Cybersecurity Maturity Model Certification (CMMC), and the Trusted Exchange Framework and Common Agreement (TEFCA) to name a few — will depend on public and private sector stakeholders' ability to communicate, collaborate, and effectively integrate innovative ideas into the complex collections of public and private technologies, systems, and processes.
Non-partisan, objective, and vendor-neutral NGOs, such as ICIT, serve a mission-critical role in facilitating public-private partnerships that lead to lasting positive change. By working together for the nation's benefit, regardless of political affiliation or company designation, we can ensure the highest degree of security and resiliency for U.S. critical infrastructure, its democratic institutions, and future generations.