Bringing public and private players to the table is essential, Inglis said during the RSA Conference, because no entity has a full view into threats and it’s only by everyone sharing clues and insights that a more complete, actionable picture of cyber risks emerges.
Plus, the sheer sophistication of organized ransomware operations calls for mustering an organized, robust response against them, he said.
“We should be expected to bring to bear all of our resources — all of our capabilities, all of our authorities — to effect a collective defense, because that’s what the transgressors are doing against us,” Inglis said. “Ransomware has organized as a syndicate; it’s a syndicate operating against us.”
Federal agencies have been working to build trust and gradually grow their lines of communication with private players. Russia’s invasion of Ukraine recently prompted CISA to expand outreach to more financial institutions and energy companies, which the agency fears could be targeted, Easterly said.
But public-private collaborations still hit roadblocks and NSA Director of Cybersecurity Rob Joyce said private firms often mistakenly believe the federal government is holding back threat intelligence and only sharing a partial picture. Inglis insisted, though, that when the government issues generalized warnings, it’s often because that’s all it actually knows.
“Sometimes we can predict thunderstorms and not lightning strikes,” Inglis said.
WORKFORCE AND CULTURE
Easterly and Inglis often tout their collaborative approach, which they say has seen the FBI, NSA, CISA and others present a more united message on cybersecurity and engage more transparently with the private sector. Ensuring this approach outlives their tenures means Inglis and Easterly need to infuse the philosophy within their agencies’ cultures, they said.
“Culture eats organization for breakfast, so we need to make sure we establish a positive, compelling culture that, essentially, outlasts us,” Inglis said.
Easterly said she dedicates half her time to developing CISA’s culture through efforts to identify and ingrain core values and principles, including looking to how the agency attracts, develops and retains talent.
The public sector continues to struggle to fill its cybersecurity staffing needs, and Inglis suggested re-examining open postings to see where computer science and engineering credentials may not be necessary. In some cases, a combination of automation tools and individuals with different backgrounds could tackle needs.
Cybersecurity teams are stronger when they reflect a wide array of viewpoints, perspectives and ideas, so agencies need to seek this out. That means making efforts to recruit candidates who are neurodiverse and age diverse, reflect different gender identities and sexual orientation and come from different races and nations, Easterly said.
To win over people with different perspectives, agencies may need to use different approaches. Easterly said that some populations are turned off by the term “cybersecurity” or find it sounds “too technical [or] too complicated.” Cyndi and Ron Gula, heads of Gula Tech Adventures — a foundation that invests in cybersecurity firms and nonprofits — are instead seeing whether some candidates are more receptive to job postings that use the term “data care,” a phrase more evocative of “health care,” she said.
“Some underserved parts of the population, they hear the word ‘security’ and they bridle at it,” Easterly said.
Inglis also noted that cyber should become part of professional training even for individuals who land outside cybersecurity. Lawyers and CEOs, for example, regularly make decisions that impact cyber postures and so need a deeper grounding.
SHIELDS STAY UP
When Russian aggression against Ukraine first heated up, CISA launched its Shields Up campaign to urge organizations to be cyber vigilant and to provide them with resources and guidance.
Now, months later, Easterly told RSA attendees that this heightened attention to cybersecurity isn’t a phase anymore, but part of what should be a new normal. CISOs and CIOs have told her that the campaign helped them persuade business leadership of the importance of investing in cyber response and recovery.
“‘Shields Up’ given the highly complex, highly dynamic, dangerous threat environment that we live in … is really the new normal,” said Easterly.
At the same time, Easterly recognized that individuals cannot maintain such high alert in the long term.
Balancing a continued need for robust cyber response with organizations’ limited capacity for keeping up extreme vigilance may mean reconsidering how the public and private sectors manage cybersecurity responsibilities as well as government finding a way to better push out threat advisories, she said.
Inglis has continued to call for rethinking who the bulk of cybersecurity responsibility — and the pain of cybersecurity failures — falls on. He’s pressed for technology providers, federal government and others with deep resources and influence over the ecosystem to take on more responsibility, shifting some off of end users like local government and individuals.
Still, Inglis and Easterly said, individual users must play some part in keeping themselves safe and should adopt basic best practices — essentially doing the cyber equivalent of wearing a seatbelt and looking both ways before they cross the street.
For government officials, one takeaway is that they need to learn to explain cyber basics — such as updating software and thinking twice before clicking on links — in terms that are easy for residents to understand.
Residents are likely to tune out phrases that sound like technical jargon, making it important to come up with explanations that are easy for a layperson to parse.
“When you say ‘multifactor authentication,’ which research shows can make you 99 percent less likely to get hit,’ people say, ’Oh my god, it’s so technical,’ their eyes glaze over and they ignore you,” Easterly said.