The invasion of Ukraine thrust the Cybersecurity and Infrastructure Security Agency into public consciousness as the nation’s key cyber security risk advisor during a time of heightened risk. Congress recently passed legislation requiring critical infrastructure operators to notify the agency of security breaches, bringing it into closer contact with the private sector. This development builds on positive momentum for the agency, following a series of executive orders that expanded its authority and created a specific Joint Cyber Defense Collaborative to share information about threats between the public and private sectors. Nearly four years after its creation, the agency now has more visibility into the risks the country is facing and more resources at its disposal to combat them.
But to capitalize on this momentum toward greater public-private partnership, the agency should deepen its engagement with smaller organizations in the private sector and at the state and local levels. In our research, many private sector stakeholders described difficulties working with the federal government on cyber security issues: They didn’t know whom to speak with, and, even when they had a point of contact, did not always get the results they hoped for. What’s more, they sometimes worried about sharing information with federal law enforcement that would subject them to liability. The federal government also has concerns of its own. Private companies and state or municipality-run utilities often lack the resources and financial incentives to implement needed cyber security measures.
These systemic issues were highlighted in a recent three-hour phone call between senior Cybersecurity and Infrastructure Security Agency officials and over 13,000 private-sector cyber security professionals. Both agency director Jen Easterly and the stakeholders on the call noted the urgent need to better work with local and regional partners. And while the Joint Cyber Defense Collaborative is bringing the largest companies together with Cybersecurity and Infrastructure Security Agency, it is still only virtual collaboration.
In short, there is still a degree of distrust and distance preventing the government and private sector from working together to defend America’s cyber infrastructure. To overcome this, we recommend a more regional focus. The agency should start by bolstering its 10 existing regional offices with the $8 million in funding recommended for the agency’s FY2023 budget. This would bring more capabilities and presence into the field to build trusted relationships, increase information sharing, and focus on right of boom, or post-disaster, mitigation efforts.
Enhancing the agency’s regional offices would capitalize on its current momentum and bring it closer to the end user. To do this, the agency should transform its regional offices from advisory posts to collaborative defensive and analysis centers. As former commander of Joint Special Operations Gen. (ret.) Stanley McChrystal has said, “It takes a network to defeat a network.” The physical network infrastructure exists in the form of regional offices — with added support from the Federal Bureau of Investigation’s field offices. But those offices could be bolstered by creating additional private and public sector capacity to work alongside the current cadre of cyber security advisors, physical security advisors, emergency communications coordinators, and chemical security inspectors.
Borrowing some concepts from the U.S. military’s Joint Operations Centers, these collaborative defense and analysis centers could bring together cross-functional teams of analysts and operators from the public and private sectors. These would include representatives from federal regulatory and law enforcement agencies, critical infrastructure sectors, major municipal regions, businesses with cyber defense capability, and Information Sharing and Analysis Centers, which serve to share threat intelligence in specific sectors. We also recommended hosting regular “operations and intelligence” briefings that would hold all these nodes in place. While asking people to physically sit together may seem archaic in the age of COVID, ultimately, we believe that such a model would bring greater unity, physical breadth, and functional diversity. They would also make the field office a more accessible touchpoint for businesses and state governments operating within their region.
Enabling the Cybersecurity and Infrastructure Security Agency to pour more resources into those offices and bring more participants would boost visibility, sustainability, and scale across the country. It would also combat local threats and build deeper trust by improving information sharing with local businesses and the general population. This can help address the challenges facing smaller utilities like municipal water systems, which have struggled to secure their networks.
And there are resources to do this. The congressional commissioners who served on the Cyber Solarium Commission recommended $8 million in additional funding for regional offices in the agency’s 2023 budget. The former executive director of the commission, Mark Montgomery, recently told us that “in locations that are home to a high density of critical infrastructure, a single coordinator will be insufficient to meet the requirements to provide a more mature risk analysis and measurements capability outside of the federal network and provide an increased ability to support special projects and national level events.”
The Australian Example
Deep, institutionalized regional engagement between the U.S. government and private sector on cyber security would constitute a significant new development. Australia’s network of Joint Cyber Security Centres provides one good model to emulate. Established in 2017 and located in hubs like Adelaide, Brisbane, Melbourne, Perth, and Sydney, these have succeeded in embedding resources at the local level and building expertise for public-private collaboration.
Run by Australia’s Cybersecurity Directorate, the Joint Cyber Security Centres “bring together businesses and the research community, along with state, territory and Australian Government agencies, in an open and cooperative environment” to drive collaboration and information-sharing. Since their establishment, the centers have worked to build trust and better relationships between the government and private sector by offering access to sensitive information and facilitating more rapid and effective responses to cyber threats. Additionally, in order to provide threat intelligence calibrated to an organization’s capabilities and requirements, the centers offered tiered security clearance programs which allow varying levels of access to information and facilities.
Right of Boom
Enhanced regional offices similar to the Joint Cybersecurity Centres can be particularly valuable in disaster planning and response. As Juliette Kayyem writes in her book, The Devil Never Sleeps, we must focus on “left of boom” and “right of boom” planning. The Joint Cybersecurity Centres focus on the left of boom, that is, staving off attacks by raising our collective level of security and implementing cyber security standards through regulations. But, as Kayyem notes, disasters will happen, again and again — like many of us warned U.S. businesses in the lead-up to and during the Russian war in Ukraine. So we should also focus on mitigating the worst of the disaster’s effect after it happens to make it less severe.
Strengthened Cybersecurity and Infrastructure Security Agency regional offices, therefore, could build on the Australian model to support planning for the right of boom. One of the most important aspects of disaster continuity planning is the establishment and maintenance of personal relationships, especially face-to-face ones. Under Presidential Policy Directive 41, the Department of Homeland Security is tasked with coordinating the government’s “Asset Response” leg of the Cybersecurity National Action Plan, which involves assessing risk and providing guidance for recovery and damage mitigation. The best way to do this is at the local level, with easily accessible offices that invite companies and organizations to come in and meet and speak with their government counterparts regularly. While some states are working on Continuity of Economy plans, disaster recovery is far too important of a national priority for this patchwork approach. The 2021 National Defense Appropriations Act stipulated the president must create a plan to address this within two years — and the bipartisan Infrastructure Investment and Jobs Act appropriated $20 million for the Cyber Response and Recovery Fund to be used during a significant cyber incident. With money, authority, and vision the United States has a real opportunity move the needle on cyber resiliency.
An effective plan should bring the states and their homeland security and emergency management offices together with the federal Department of Homeland Security. It should also involve funding, regular exercise at a regional and national level, and the collection of lessons learned. Building out the regional offices would be powerful because at the regional level, there is intimate knowledge of business, critical infrastructure, and the general risk landscape. But it requires even more people, money, and systems connectivity, as well as a mechanism for regular situational awareness.
Trust Is Key
Going out to the where its customers are located would dramatically expand the Cybersecurity and Infrastructure Security Agency’s effectiveness. Additional representatives — leaders, analysts, and advisors — should be embedded at the local levels to build relationships, broker trust, and ensure that businesses that participate in public private partnerships see a return on their investment. For the system to work, regional offices should bring in cybersecurity analysts and operators from surrounding state and local governments and members of the private sector to create mission-driven teams with their own esprit de corps. They should give non-federal entities seats at the table as equals and better access to government leaders and timely intelligence. Teams that know and trust each other will have an easier time sharing intelligence and responding to incidents together. Right now, collaboration isn’t happening at the scale the country requires because the structures are simply not in place. Build the structures and the culture, unify the effort, and results will follow.
While the Cybersecurity and Infrastructure Security Agency’s recent outreach efforts have elevated public awareness of available resources, there still remains work to be done in ensuring that America has timely access to the necessary federal resources in the case of a cyberattack. As former agency director Chris Krebs noted, “the future of CISA is in the field.” To defend the networks on which the country relies and recover quickly from inevitable attacks, America needs nodes that can aggregate and share threat information and promote effective responses at the local and regional levels.
Graham Kennis is an Air Force officer. He focuses on the intersection of technology and national security policy, most recently serving as an intern for the Cyberspace Solarium Commission and for CSC 2.0 at the Foundation for the Defense of Democracies while completing a Master’s in Public Policy at the Harvard Kennedy School. Previously he served as a research assistant with the Belfer Center’s Cyber Project and as an enlisted communications technician in the Air Force.
Lauren Zabierek is the executive director of the Cyber Project at Harvard Kennedy School’s Belfer Center and a 2019 graduate of the Kennedy School’s mid-career MPA program. Her work focuses on strategic, national security issues in cybersecurity and technology. She is the co-founder of the online social media movement called #ShareTheMicInCyber, which aims to dismantle racism in cyber security and privacy. She is a United States Air Force veteran and, former civilian intelligence analyst with multiple deployments to Afghanistan. She also established and led the public sector customer success team at the cyber security threat intelligence startup, Recorded Future.