Establishing public-private partnerships to support information sharing in defense of critical infrastructure and homeland security has been a challenge for over 20 years. We have enacted policy, created incentives, attempted to build bridges, and more to bring government and industry together to close the gaps in our national defense strategy. However, as recent attacks against our critical infrastructure have shown, we have not been successful.
Attempts to overcome public-private information silos have been reinvigorated by CISA’s establishment of the Joint Cyber Defense Collaborative (JCDC). The newly formed collaborative represents an unprecedented — and, as yet, untested — partnership between a variety of government agencies (including the Department of Homeland Security, Department of Defense, U.S. Cyber Command, and others) and private-sector partners (including Microsoft, Google, and Amazon). The JCDC has been tasked with “coordinating cyber defense capabilities to ensure a whole-of-nation approach to securing critical infrastructure and defending national interests,” aligning both commercial and government interests and marshaling the respective resources of both to defend against increasingly sophisticated cyber attacks against critical infrastructure.
The JCDC is a promising step toward building an effective coalition, but it is a futile exercise if it builds partnerships according to the same information sharing model that previously failed to deliver the kind of public-private collaboration needed to effectively anticipate and respond to attacks against critical infrastructure.
Consider the current hub-and-spoke model of information sharing. In this model, information is passed from discrete organizations (spokes) to a central hub, which analyzes, enriches, and anonymizes data as needed before sharing that data with other spokes. There are benefits to this model, but it also has significant limitations. First, it imposes a one-size-fits-all information sharing protocol on sharing communities with unique needs, resulting in uneven participation. It also slows down incident response time, as information must first pass through the hub before being shared outward with other spokes.
Most importantly, private sector entities have been hesitant of the federal government asking for — or in some instances, demanding — their data. Private sector entities are often unwilling to share information about vulnerabilities or cyber incidents because they don’t have confidence that their information will be properly protected. Should such data be breached, companies run the risk of negative publicity, compromised reputation, regulatory penalties, the loss of trade secrets, and — consequently — falling stock prices and lost revenue. In short, the private sector has many reasons to see information sharing with the federal government as counter to its best interests.
Historically, the government has resisted mandating threat-information sharing between public and private sectors, attempting instead to alleviate the private sector’s concerns and incentivize the voluntary sharing of information. However, legislation currently being advanced on Capitol Hill requires the private sector to swiftly report hacks to CISA, with noncompliant companies facing subpoena or even potential penalties if they fail to do so within the mandatory reporting timeframe. In forcing companies to “report hacks or else,” CISA would compromise the public-private information-sharing partnerships currently being cultivated through the JCDC, leaving us right back where we started.
Director Jen Easterly has been clear that CISA is not and should not become a regulatory or enforcement agency and that its goal is to act as a trusted partner. However, even if it does not compel information sharing, in establishing itself as a central hub and prioritizing receiving threat information from the public sector, CISA runs the risk of developing asymmetrical partnerships plagued with all the old challenges.
Instead, CISA should work to establish partnerships according to a point-to-point distributed model in which information is shared freely among both private and public stakeholders in the national cyber defense mission. In the point-to-point distributed model, no single organization controls the inflow and outflow of threat information, and vertical partnerships between public sector entities and CISA are deprioritized in favor of horizontal partnerships among critical infrastructure owners and operators, government agencies (including CISA), and other cybersecurity partners. As a result, information can be shared at an operational tempo and according to an individual community’s specific needs rather than the needs of the hub.
The point-to-point distributed model more closely reflects how communities already work together — independently of the federal government — to protect their own infrastructure and resources. As such, supporting a point-to-point model is a more efficient use of both regional and federal resources than compelling communities to adopt new sharing practices and standards. In fact, many of CISA’s current resource investments already support a point-to-point distributed model.
Specifically, in recent months the agency has focused on recruiting industry leaders into cybersecurity advisor positions tasked with bringing together regional critical infrastructure owner/operators with federal, state, local, and other stakeholders. CISA has wisely focused on recruiting advisors who are already embedded within their assigned region and who, as a result, already have longstanding community ties. Unsurprisingly, many of these advisors are former National Guardsmen, who have been engaging and defending their communities from cyber attack while simultaneously working within the private sector. As such, the National Guard serves as an excellent example of the kind of community collaboration that already exists and that can be resourced by CISA via a point-to-point distributed model.
That said, the most immediate and useful resource CISA has to offer is the wealth of unclassified information that it currently owns. Offering this information to its private-sector partners without compelling information sharing in return would better enable CISA’s regional cybersecurity advisors to build stakeholder relationships on a foundation of trust rather than policy. It would also position CISA as a participant within a broader community of sharing communities rather than as a regulator of a governmental information sharing process. In short, the hub-and-spoke model may empower CISA, but a new distributed model can better empower the national defense effort as a whole.
As a country, we have an incredible number of resources and partnerships at our disposal, and this puts us at a significant advantage in the cyber fight. However, if we want to outpace increasingly sophisticated cyber warfare, we are going to need to observe globally, protect nationally, and defend locally.