As adversaries continue to develop and deploy new technologies, cyberattacks pose a greater threat to the United States than ever before. To address these risks, the federal government recently released the National Cybersecurity Strategy, which aims to build a more secure and resilient cyber ecosystem nationwide.
For the U.S. government, acquiring the capabilities necessary to execute the strategy means working with industry, but there are still collaboration challenges that may result in security issues. According to cyber experts, who convened for a panel discussion during the Potomac Officers Club’s 2023 Cyber Summit last week, bridging the communication gap between the public and private sectors is crucial to bringing the plan to fruition.
Aaron Bishop, chief information security officer for the Department of the Air Force, said that today, the intelligence data sharing between the government and its contractors occurs after a threat is identified – a method that prevents organizations from being proactive about threats.
“What we really need to think about in public-private partnerships is a common language to talk in, and that security control is the currency. We need to be able to talk in a common way to have a discussion in real time about what the threat is,” he said.
Creating this language involves helping industry organizations understand the Department of Defense’s cyber posture, said Shaun Jones, vice president of Contegix.
Within the government, officials view security through a wide lens, he said. If each element of the development process is not entirely secure, the vulnerabilities add up and the technology as a whole is significantly less secure.
“Helping private industry understand helps them better their posture when it comes to getting the software more in line with DOD needs,” said Jones.
Doing so requires stepping away from contractual language, said Bishop. Within the acquisition community, this communication style has become the norm, but with the number of federal laws in place, it is not always productive, he said.
“It gets back to that common communication, common understanding and being able to communicate without getting buried in the compliance of doing X, Y and Z,” emphasized Jeanette McMillian, assistant director of supply chain and cyber at the Office of the Director of National Intelligence.
Focusing on checking off boxes and being compliant alone, she said, overlooks the impact of a product on security, risk and resilience. From that perspective, the cybersecurity strategy “was not just about cyber for cyber,” but about looking at cyber and its implications holistically, said McMillian.
“If there is an opportunity that they can take, the criminals are going to take it, the nation states are going to take it. So it’s incumbent upon the private industry to start thinking in terms of cyber resilience,” said Bishop.
The federal government has already taken steps to engage with industry within the cybersecurity realm. McMillian said that she has already witnessed the risk model move toward a more proactive approach, and Jones highlighted the current era as a “golden age” of public-private partnerships.
“This was not a strategy that was developed in the basement of the White House or somewhere just within the DOD. It was something that was open and transparent with the partners we were going to have to make sure that cyber was supported across the board,” said McMillian.
The Potomac Officers club will be hosting its next event – the 2023 Navy Summit – on June 21. Click here to learn more and register to attend the summit, which will connect Navy officials and private sector experts for a deep dive into the service branch’s modernization challenges and priorities.