For U.S. government, cybersecurity is becoming a team sport
At home and abroad, when it comes to 5G, critical infrastructure and supply chain security, DHS and other agencies are employing a mix of partnership, persuasion and pressure to get results.
When it comes to implementing new cybersecurity standards, the U.S. government has adopted a strategy of persuasion. Policymakers are building momentum behind a series of policy pushes among private companies as well as foreign allies in the cybersecurity realm, from baseline standards for connected devices and 5G to supply chain security, information sharing and incident response.
Representatives from two major private telecommunications companies were the latest to praise the Department of Homeland Security and other agencies for their collaborative approach to solving some of the thorniest dilemmas in cybersecurity.
"I've been in this industry in over two decades, and the work that has happened in just the short past few years has been happening at light speed between the government and industry sectors," said Jason Boswell, head of security for North American network product solutions at Ericsson, ticking off examples like the ICT Supply Chain Task Force, outreach efforts by NIST to industry groups and others.
There are ample incentives to work closely together on both sides.
Leaders at CISA have long recognized that while the private and public sectors are connected through common IT supply chains and ecosystems, their agency has little to no authority to regulate or compel private companies when it comes to what technologies they should use or how. Many private companies, on the other hand, have come to realize that they are largely outgunned over the long term in a battle with foreign governments and sophisticated criminal hacking groups.
Out of that environment came a partnership model in which companies work toward the adoption of industry-wide standards in exchange for technical resources, information sharing and a seat at the table during government initiatives like the ICT supply chain task force.
"I would give the United States an A grade on one thing in particular, which is the cooperation that's happening between the government and private sector," said John Godfrey, Senior Vice President of Public Policy for Samsung. There really is a whole lot that's happening…a lot of information sharing that's happening and I think they're doing a great job there."
At the same event, Cybersecurity and Infrastructure Security Agency Director Chris Krebs pointed to the recently established National Risk Management Center as the personification of the partnership model DHS and other agencies are pushing.
"The concept was to bring together the entirety of the federal government, whether it's civilian agencies, the intelligence community, technical agencies, the Department of Defense, everyone together for a single storefront for engaging the private sector on managing risk," said Krebs.
Some of those same principles can be seen at play overseas as the U.S. works to convince allies to adopt its hardline position on preventing Chinese telecoms like Huawei and ZTE from gaining a foothold into Western telecom 5G networks. At the end of the day, the U.S. can't force its allies to shun Huawei or other Chinese companies, and so persuasion and pressure have become the primary tools U.S. policymakers have used.
Rob Strayer, deputy assistant secretary for cyber and international communications and information policy at the Department of State, said the U.S. was "seeking to build a coalition of like-minded governments" that are able act as one unified body to respond to malicious cyber activity from nations or criminal groups. While that sort of cooperation has taken place on the attribution front, Strayer said such a coalition could also make impact in terms of "imposing consequences" on those groups, presumably through economic, diplomatic and other sanctions.
Strayer acknowledged that when it comes to 5G, there are economic as well as security issues at play. Part of his job involves persuading allies and other countries that they options other than Huawei when it comes to the equipment and components that make up 5G networks.
"There's a great propaganda campaign out there to try to establish that there's one company that is so far ahead of everybody else that there will be no way that you can go with another set of technology than that company," said Strayer. "Well, the truth is there's companies that have basically the same number of commercial contracts out there today and with respect to the United States we're leading the world in commercial deployments in our medium and large cities…without Chinese technology."
However, when partnership and persuasion don't work, U.S. officials are not above falling back on pressure. Strayer repeated sentiments expressed earlier this year by Secretary of State Mike Pompeo that countries who do not heed warnings about using Huawei or other "untrusted" equipment are putting their information sharing relationship with the U.S. at risk.
"Whether it's [Department of Defense] or State Department information which is going to 230 posts around the world or other types of communications that are sensitive relative to the U.S. government…we need those to be on trusted networks," said Strayer. "As we move forward, we're going to continue to constantly reassess the ability for us to protect information that's flowing over networks, so if countries deploy unsecure vendors in 5G, that is a serious cause for concern for us and will cause us to reassess how we share information."