CISA director promotes collaboration and trust at RSAC 2022

Cybersecurity leaders from the White House and federal government encouraged more cooperation between government and non-government entities during a Tuesday RSA Conference 2022 keynote.

Moderated by Bobbie Stempfley, vice president and business unit security officer at Dell Technologies, the RSA Conference panel was titled "Cybersecurity as a National Security Imperative." Panelists included Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, National Cyber Director John "Chris" Inglis and National Security Agency (NSA) Cybersecurity Director Robert Joyce.

A key focus of the session was collaboration between the different agencies. Inglis said the various entities aim to offer diverse skill sets to complement each other and ensure that from a threat actor's perspective, "you have to beat all of us to beat one of us."

For example, the NSA's purpose is to collect and process both domestic and international intelligence, while CISA uses the information to, as Easterly pointed out, "understand, manage and reduce risks to the critical infrastructure that Americans rely on every hour of every day." Joyce highlighted frequent joint CISA advisories sponsored by agencies like the FBI and NSA as an outcome to these efforts.

Easterly said a crucial part of this cooperative focus starts at the culture level, both between entities and internally within CISA.

"As the newest government agency, I probably spend more than 50% of my time building the culture of [CISA], developing our core values, our core principles, and ways to weave these into the fabric of the organization," she said. "And at the end of the day, it's all about our people. How are we building an ecosystem that allows us to attract and retain the best talent to be able to help defend the nation in cyber? That comes down to how we treat our people, how we develop them, how we treat other people, and how we treat our partners."

Easterly also pointed to private-sector partnerships as a necessary part of building a cyber defense. A major initiative to practice public-private partnerships was the Joint Cyber Defense Collaborative (JCDC), established last August. The JCDC was an initiative started to lead development of the U.S.'s cyber defense plans; members include federal agencies, enterprises, state and local governments, and more.

Easterly said it's not lost on anyone that the SolarWinds supply chain hack was discovered not by the U.S. government, but rather by private vendor Mandiant.

"[Private-sector organizations] have incredible visibility that we just don't have," Easterly said. "We want to be able to share that visibility so we can identify those dots, connect those dots and drive down risk to the nation at scale."

Government officials have long advocated for stronger public-private partnerships in cybersecurity, though past efforts haven't always come to fruition. Easterly said coordination and cooperation with the private sector has increased this year as nation-state attacks have ramped up amid Russia's invasion of Ukraine.

"Since the war in Ukraine, we've started working together, planning together and implementing what we call an operational collaboration model, where we're sharing information in near-real time through a very exotic technical tool called Slack," she said. "That has enabled us to really share insights and information and analysis in a way that the government and the private sector have never done before. And it's starting to build momentum."

The most critical part of that momentum, she said, is building trust, which starts within the different government agencies tackling cyber threats.

"If you can't have trust in the space, we can't have it with our private-sector partners. And trust is built through transparency, responsiveness, humility, gratitude and everything that says, 'We want to add value from a government perspective, and you want to add value from the private sector. Let's come together and do it collectively for the defense of the nation.'"

Alexander Culafi is a writer, journalist and podcaster based in Boston.