For years, cyber policymakers, experts and industry have talked about cybersecurity collaboration, but, National Cyber Director Chris Inglis told reporters Tuesday, “I don’t think we have talked about cyber collaboration very well.”
The director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, Jen Easterly, took it one step further, saying the government didn’t even really talk about collaboration in her first go-round as a government cyber official, before a more than four-year stint in the private sector. Instead, she said, “We talked about public-private partnership to the point it became hackneyed.”
The Joint Cyber Defense Collaborative (JCDC) is one such mechanism for doing so, Easterly said. That center brings together not just government and industry, but researchers and international partners. Easterly and others credit the initiative for getting ahead of the so-called log4j vulnerability that some feared could affect hundreds of millions of devices.
Before the JCDC, “there was not this real-time exchange of insights and data and information on a frankly, minute-to-minute basis, that we’ve tried to evolve over the past nine months,” Easterly said of the center, announced last August.
The key difference between the JCDC and past efforts, said Inglis, is that Congress established in law that the JCDC’s modus operandi “is to essentially have this place where we can actually put information on the table to share without preconditions.”
Speaking on stage on a panel at the 2022 RSA Conference, Easterly said the JCDC was still establishing itself.
“It’s starting to build momentum, but most importantly, it’s starting to build trust,” she said. “We are very aware that building trust is hard and breaking trust is easy.”
The National Security Agency has its own Cybersecurity Collaboration Center for working with the defense industry, although Rob Joyce, the agency’s director of cybersecurity, told reporters he was reluctant to share evidence of tangible success given the nature of the NSA. But he offered anecdotal evidence.
“It is all built on companies seeing value and then deciding they need to continue to contribute,” he said. “And that’s my measure. They’re back.”
Working together within government
The fragmented nature of the federal cyber bureaucracy sometimes draws complaints from lawmakers and other policy experts who say it keeps the government from having coherent lines of authority on cyber, and makes it hard for the private sector to know who to talk to, or when.
The White House has two major different power centers — the national cyber director, and the deputy national security adviser for cyber and emerging technology — alongside agencies such as CISA, the NSA and Cyber Command.
Inglis, however, said on the RSA panel that the diffuse structure was actually a strength.
“If you want an organization to be effective it has to be, by design, complicated,” Inglis said before amending “complicated” for “diverse.”
“Look at the U.S. Department of Defense. It boggles the mind why you have all of those kinds of line items,” he said. “Yet when it enters the field of battle and essentially achieves what are called joint operations.”
Inglis touted “stovepipes” as a “source of deep expertise.” The phrase “stovepipe” was once a major source of the 9/11 Commission’s ire; different agencies having their own intelligence branches hardened turf and contributed to the prevention of “connecting the dots,” the commission said.
“I will say that when I was in the private sector at Morgan Stanley for four-and-a-half years, I did look at the government as feeling pretty disjointed and incoherent and not necessarily knowing how to interact effectively,” Easterly said. “And I think between us and some of our other teammates on team cyber, I think we’ve tried to make a lot of progress on that.”
Asked how that progress continues when Easterly, Inglis and Joyce leave, Joyce answered, “There’s an enormous amount of process already.”
Added Inglis: “Culture eats organization for breakfast.”