Cybersecurity is a shared responsibility. During National Cybersecurity Awareness Month, the Administration has educated the general public about the evolving risk of cyber threats through its “Stop. Think. Connect.” campaign and reminded the American people, government agencies, and industry that everyone has a role to play in guarding against cyber attacks. At the same time, Administration officials have leveraged the momentum of National Cybersecurity Awareness Month to announce changes in government organizational relationships designed to enhance the security of federal information assets and networks in cyberspace, such as the Memorandum of Agreement between the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) formalizing agency roles and responsibilities for coordinating cybersecurity. One area that has received less public attention is the need for government to enhance its partnership with the private sector.
Building this partnership and clarifying these roles and responsibilities is critical. The private sector’s resources are inextricably linked to our government’s efforts to successfully secure federal information in cyberspace for several key reasons, most notably:
Much of the nation’s cyber infrastructure is owned and operated by the private sector. Because the public, government, educational institutions, and industry rely on cyberspace, an attack against a major player in the Information Technology (IT) infrastructure sector may not be just an attack against a company. Instead, it may result in an attack against the Internet itself and may impact citizens, governments, and companies across the globe. The federal cybersecurity community must clarify the degree to which government and industry should partner to prevent, detect, and defend against these challenges
Each key sector of the nation’s Critical Infrastructure and Key Resources (CIKR) leverages cyberspace to perform mission-critical tasks. Cyberspace minimizes and, in some instances, eliminates jurisdictional, organizational, and technical boundaries of CIKR sectors (e.g., emergency services, defense industrial base, communications, government facilities, etc.). While the increased capability to share information across sectors enables private sector and government CIKR stakeholders to perform more efficiently and effectively, it also creates additional vulnerabilities in cyberspace. In order to truly be prepared to meet the challenges posed by cyber attacks that could threaten the security of multiple CIKR sectors, the federal government must enhance its partnership with private sector CIKR stakeholders
There is a shortage of cybersecurity talent in government. While the Cyberspace Policy Review included the need to expand and train its workforce as a key priority, and efforts are underway toward that end, the reality is…the government can’t do it alone. Cyber attacks are a constantly evolving, significant threat to our national security and the federal government. In the short-term, the federal government has an immediate need for a qualified, seasoned cybersecurity workforce (e.g., Information System Security Officers (ISSO), cyber strategists, security operations specialists, and program managers, etc.) and must fill these gaps by augmenting its existing workforce with the resources available in the private sector. Long-term, the federal government must assess its broader cyber workforce strategy and the role that the private sector plays in meeting mission-critical cyber requirements
As September came to a close, DHS hosted Cyber Storm III– an exercise designed to test the government’s cyber preparedness, which included participants from throughout the federal government, 11 states, 12 international partners, and 60 private sector companies. Cyber Storm III provided the opportunity to test the updated National Cyber Incident Response Plan (Interim Version, September 2010), including the roles and responsibilities of the private sector in cyber incident management. With more than 20 additional private sector participants than its preceding exercise, it also provided an unprecedented opportunity for government and the private sector to work together to solve a (fictional) cyber threat scenario. We look forward to viewing the exercise’s after-action report and the recommendations for government to enhance its partnership with the private sector in the cybersecurity arena.