The federal government has a lot of work to do to enhance its own cybersecurity, as a recent report from the Office of Management and Budget and Department of Homeland Security makes clear. However, to improve cybersecurity, the government must continue to partner with the private sector and state and local governments, according to a DHS official.
Rick Driggers, deputy assistant secretary for cybersecurity and communications in the National Protection and Programs Directorate (NPPD) at DHS, said that as cybersecurity threats evolve and multiply, the government cannot combat the problem on its own.
“This is a team sport. This isn’t something the federal government will be able to do on our own,” he said at the Cyberthreat Intelligence Forum in Washington, D.C., on May 31, presented by FireEye and produced by FedScoop and CyberScoop. Enhancing cybersecurity will require “strong partnerships” with the critical infrastructure sector, state and local agencies, and international allies that have the same norms and behaviors on cyberspace as the United States.
Notably, Driggers said that while malicious cybersecurity actors’ capabilities are becoming more complex, the exploits they use are essentially the same tactics they have used for years. Vulnerability scanning for unpatched systems and spear phishing — “simple vectors” as Driggers called them — are still responsible for 80 to 85 percent of attacks.
What the government and private sector are not doing enough of is imposing costs on adversaries and making them expend time, energy and effort to cause their intended effects, Driggers said. The goal should be to harden IT infrastructure so that attackers “look at you and move on to the next” target.
Cybersecurity Requires Partnerships to Be Successful
DHS takes its cybersecurity partnerships seriously, Driggers said. The agency holds training sessions and exercises with state and local government agencies and conducts information sharing. “We work every day to try to build our partnerships,” some of which are more formal than others, he said.
A key element of the NPPD’s strategy to ensure the strength and resiliency of the country’s cybersecurity infrastructure is to partner with private-sector cybersecurity firms, Driggers said. Those companies are looking at private-sector networks. DHS works with those firms as well as state and local agencies to ingest threat information, anonymize it and get technical data out of it that can be then spread to the cybersecurity defense community.
Driggers repeatedly stressed the need for cooperation between the federal government and its partners. “We can’t do this on our own,” he said, noting that cybersecurity defense requires “the private sector, across really all industries, to help reduce and mitigate this risk.”
DHS shares unclassified but sensitive information on cybersecurity threats with the private sector via its Private Sector Clearance Program. The goal, Driggers said, is to share threat intelligence as broadly as the agency can with the relevant stakeholders and communities of interest.
DHS Focuses on Cyber Hiring and Collective Defense
On May 15, DHS released its long-awaited cybersecurity plan, which will guide the agency’s approach to cybersecurity over the next five years.
Part of the plan, Driggers said, is to build up a cybersecurity workforce. As CSO Online reports, in 2017, there were about 350,000 cybersecurity job openings, according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education a program of the National Institute of Standards and Technology.
DHS needs to do more to engage with the private sector and academia to build a cybersecurity talent pipeline, and the federal government needs to change its hiring practices to more easily hire cybersecurity professionals, Driggers said.
DHS is also focused on “driving down systemic and catastrophic risk to critical infrastructure owners and operators,” as well as cutting down on risks from supply chains.
Finally, Driggers said, the focus needs to be on “collective defense” and getting the entire country engaged in cybersecurity. He pointed to DHS’ Automated Indicator Sharing system, which enables the exchange of cyber threat indicators between the federal government and the private sector at machine speed. Since 2016, Driggers said, AIS has shared 2.8 million unique threat indicators, and there are 11 foreign countries hooked into AIS.
Driggers said he would like the private sector to more frequently share the threats they are seeing into AIS. DHS is also making changes to the system, based on private-sector feedback, to provide more context to the threats it is sharing.