Current, former government cyber officials tout industry collaboration advancements
When Ivanti devices got hacked earlier this year, the company’s participation in an industry-government collaboration gave the Cybersecurity and Infrastructure Security Agency a “head start” toward confronting the vulnerability, the agency’s director said Wednesday.
Cybersecurity firms linked the attack on Ivanti products at the start of 2024 to Chinese hackers, in a breach that ended up affecting CISA itself. In April 2023, Ivanti joined the Joint Cyber Defense Collaborative — a project that has been panned by some and that CISA officials acknowledge has room for improvement.
“That connectivity gave us a head start in working with you when we found out about the vulnerability in January,” CISA Director Jen Easterly, who has led the agency since 2021, said at an event hosted by Ivanti. “There were some tough days” early on with CISA, she said, but working with Ivanti and in the government to issue alerts shows how far the agency has come.
Easterly also praised Ivanti for the cybersecurity commitments it announced last month amid recurring security woes. Those “incredibly encouraging” pledges “should be a model for how other CEOs are embracing not just secure-by-design principles, but also when we talk about corporate cyber responsibility,” Easterly said.
The JCDC is all part of the ever-evolving, ever-discussed “public-private partnership” between government and the private sector.
At the same Ivanti event, Easterly’s predecessor, Chris Krebs, said the years of work to build up federal collaboration with industry are paying off, from the Joint Cyber Defense Collaborative to the National Risk Management Center — the “proto” version of the JCDC, he said — to the National Security Agency’s Cybersecurity Collaboration Center.
“We’re starting to see that these things work with the resources and time into it, but it’s generating results and there’s no better evidence of the results, I think, than when Russia invaded Ukraine, and the ‘Shields Up’ campaign and the breadth to which that was able to change behavior in industry,” said Krebs, now chief intelligence and public policy officer at SentinelOne.
Also at the event, a top FBI official said Congress needs to renew liability protections for companies that share cyber threat data with the federal government before they expire next year. Congress established those protections against lawsuits under the Cybersecurity Information Security Act of 2015.
“One thing we should really do is protect those things that are already working,” said Bryan Vorndran, assistant director of the FBI’s cyber division. “That’s something that we should just continue as essentially a clean bill moving forward; it gives [the] private sector very specific protections.”
The threat information sharing program established under the 2015 law has had its own share of problems, although a watchdog report from January noted that “sharing has improved” in the past couple years.
