This is a blog I’ve wanted to write for a long time but every time I sat down to do it I found it difficult to capture the nuance of my intent here and also difficult to keep it from turning into a 50k word thesis paper. However, I keep getting the question “Should governments actively defend private sector networks” or iterations of it such as “should the government be doing assessments?” “should the government do incident response?” and a lot of variations of that question. Ultimately people are really asking “what is the role and responsibility of government in cybersecurity?” but that is definitely a complicated topic that I won’t pretend to be able to answer here. This blog is going to be me rambling more than normal. There are so many examples I have to back up my point of view that I simply cannot share which is unfortunate so I recognize this is going to have to be seen much more as “in my opinion” and accept that. I can also already see this ruffling many feathers especially of my government colleagues but please know I do see and value a role for governments in cybersecurity but I think we just have to be much more candid with ourselves so that we can get to a better place than the trajectory we’re on now. Ok here we go…
I keep getting the question on if the government should be performing the cyber defense mission for the private sector and there are a lot of important documents related lately on the topic I want to share some observations. I am not going to try to capture all the nuance. That will leave plenty of areas for disagreement and grey areas. But I think capturing some streaming thoughts are important as the “debate” is becoming incredibly one sided with not many voices publicly opposed to the topic while many in at least the networks I have are privately very vocal and with good reason.
For background reading for this topic I’d suggest Joe Slowik’s “Cyber Leviathan” entry (a much more nuanced and eloquent version of my ramble), the Cyber Solarium Commission report, DHS’ CISA Strategic Intent document, and Australia’s Cyber Security Strategy 2020 document.
I will also note there’s a big difference between “can” and “should” in the question of what the government role is. The answer “can the government (insert any of your choice) defend private sector networks (or companies) today?” is a simple “no.” Full stop. Can the government do this mission? No they are not equipped to do so and the private sector has far outpaced them. Forget the laws, regulations, or complications due sometimes to even constitutional protections – can the government do the job if they were allowed to do it – no. It’s not even resourcing alone at this point. Governments are large bureaucratic organizations and while they house many experts and wonderful passionate people as a whole they are not capable of this mission today as proven by decades of not only abdicating their role in this space but more importantly not even getting their own house in order. I always find it slightly laughable when people talk about the USG coming in to save the day when every report, analysis, assessment, etc. from GAO and others as well as public high profile breaches like OPM showcase that there is more than enough mission to keep the USG occupied with USG cybersecurity. And they have awesome people to do it and I believe they will be successful there; but they have their hands full. This is going to come off coarse and unfair in some instances, I say this all having been a USG cyber operator both in the Air Force and NSA doing defensive missions. I love the government folks I interact with especially across US, Canada, UK, Norway, Germany, Australia, New Zealand, Singapore, and the list goes on – tons of friends and amazing memories. Lots of love for the folks and admiration for the cybersecurity expertise that does exist in the pockets of complication and frustration. But can the government do the job of protecting the private sector from cyber attacks, does it have the experience to do so, the expertise, the resourcing, etc. any way you slice the answer the answer is no.
The question of “should” the government do this is a much more interesting debate to me.
At this point in time my answer is no but I recognize a lively and appropriate debate on the topic. While my answer on “can” is a strong no and I will argue with anyone that they are obtuse to think the answer is “yes”, on the topic of should I think it’s more of an open debate. I know which camp I am in right now but I am open to being flexible and recognize there are many points of view that are valid here. I think it is extremely difficult to have a conversation on this while ignoring the reality of the “no” that exists today but governments around the world are getting impatient on what they perceive to be strategic national risk due to cyber threats and expecting that the private sector is going to do that mission and the governments may not even get visibility into attacks. That is the piece that scares most governments. That there can be attacks domestically that companies are dealing with and the government doesn’t see it. We see these debates playing out right now fiercely in the US and usually the canary in the coal mine is the US electric sector. As an example, under NERC CIP there are new regulations that require electric companies to report any access or attempted access by unauthorized users/adversaries into bulk electric system systems such as those SCADA and ICS environments I often talk about. On the surface this sounds great. If an adversary is trying to get access into the ICS networks of a power company the government should know about it. The problem as I see it is the government should encourage that with partnership, value added efforts that incentivize sharing, etc. and that doing it via force is a great way to kill the appetite of those companies to even look for the problems in the first place. What is the incentive of a company to report such access attempts? Today there is very little. They can expect FBI/DHS/DOE/DoD/etc. all on their doorstep telling them “No, I’m the agency to talk to” and “I’m here to help” without any understanding of their systems or problems. In many cases USG help for these companies to date in the form of tactical network defense efforts (there are plenty of other efforts that have been extremely well received and helpful) have either been full of a false sense of security (we ran your data through our survey tool and you’re ok now because the lights showed green) or it has been highly confusing and complicated for those companies. That’s not to say all government assessment teams are incompetent, there are plenty that do amazing work across government owned infrastructure as an example. But again, we exist in an ecosystem today where the federal agencies cannot and will not even concretely define roles and responsibilities and they treat every case as an opportunity to go peacock and pitch their services and offerings and sharing groups more aggressively than the most annoying vendor. Again, I recognize how broad of a paintbrush I’m wielding here but please recognize I do understand the nuance but on this topic it’s getting worse not better and as far I see it there are very few challenges publicly to the mindset. Why? Because when a CEO of a company has USG come into their company and are told “you’re all good now” they feel good. Simple as that. They feel great. And if something happens and they’re in front of Congress about a major chemical explosion or power outage due to a cyber attack? They get to say “well we had your teams in DHS/DOD/DOE/EPA/FBI/etc.” in here and they said we were all good. It’s an extremely attractive proposition. I’m not saying people are doing any of this with malice. I don’t think anyone involved that I see is malicious or gaming the system. But a game has formed for sure, that I see at least, where people are incentivized not to do real security but to do security theater and the people who pay the biggest price are the day to day security analysts who have to watch their CEO’s publicly praise government agencies who are also publicly praising themselves in front of Congress while the security analysts in the companies were the ones that did all the work or had to pick up the pieces. This is not meant to be an overly cynical take. There are plenty of good things happening too. But I promise I’m getting to the answer of “should” in the shortest rambling way I can.
Why was all that lead in important to the topic of “should”?
Let’s review two items. One from the US’ CISA and one from Australia’s cyber strategy which largely touches on ASD. These were documents in the background reading above. And I say all this with as much love and admiration I can for both organizations, they are good examples here but they themselves are not the problem nor the people in those organizations. I have many friends in each and each organization has done a lot of amazing things and has great potential. But on this topic let’s be candid and transparent so we can all get to a better answer. Here we go:
- Australia’s cyber strategy specifically calls out that they intend to invest $1.67B over the next 10 years to achieve their vision. The vision they outline covers a ton of areas from cyber security advice for families, to taking a more offensive approach to Australia’s strategic adversaries, to protecting and actively defending the critical infrastructure across Australia.
- US’ CISA Strategic Intent notes they want to partner more with the private sector with goals of defending infrastructure today and helping strengthen critical infrastructure long term. They advocate for common themes across USG from the years including risk management, risk visibility, information sharing, capacity building, training, deployed tools and sensors, and incident management and incident response
If you review various appropriations documents and conversations on public record between DHS and Congress you’ll find they are positioning very heavily for programs like “Cyber Sentry” where DHS wants to create and maintain their own technology to deploy directly into networks, including into ICS networks, for them to be able to pull data out of those environments and perform managed defense and hunting type efforts for companies. Softer voices will note that this is really only intended for defense critical industries but that’s an absolute falsehood and it’s intended for everyone from power companies to pharma companies. There are plenty of times on public stages from RSA to Congressional hearings to documents such as this that DHS has noted they will perform network defense and incident response for the private sector. “Call us” they will say. They actively do assessments in the sectors today. And there are plenty of times if you talk to one of the many fantastic people in the DHS and ask them “do you do incident response” the answer is “yes” or “well it depends” and then you slice out what they mean by incident response. Which in many times is largely “we won’t actually do the incident response, data collection, etc. efforts but if you do the data collection we’re happy to take a look at it for you and if we know anything from the USG we’ll share back.” That’s not incident response. That’s a great value of “if you’re going through an incident communicate with us and we’ll try to help you with any insights we have.” That’s fantastic. But that’s not incident response. I have been to a wide number of critical infrastructure sites across the US where you ask them if they want to do an assessment in their networks or prepare an incident response plan for the eventual day they’re attacked they will tell you “no DHS was in here last year and our incident response plan is to call DHS.” If you get the right people in CISA as an example they’ll be explicit that that’s not what they are intending and private sector companies should still do their own efforts. But based on the communication, like CISA’s strategic intent document, this is the result you actively get. Additionally, you can ask different people in DHS and FBI field offices and similar and get different answers. It’s a highly confusing narrative that no matter what is based on the “can” the government do this response of “no.”
Looking at Australia as an example who I truly believe is trying to get to a good answer as well, the idea to do everything they’ve talked about across 10 years with a $1.67B budget is simply not going to work. That’s not even a very effective budget across the broad mission they are painting. The idea that they also want to message that they will actively defend networks in critical infrastructure could very quickly lead to a misunderstanding in the sector that the “government has it covered” and will be your incident response team or even do proactive work for you. Government agencies would do well to pick one or two things they want to be good at and go nail it; trying to boil the ocean quickly loses confidence from all parties involved.
Governments should want the private sector playing to their strengths and governments should play to theirs. Each have numerous strengths and roles to play. But when governments choose to focus on tactical network defense, incident response, risk assessments, etc. and messaging that they have that space covered or will – not only are we not playing with a full hand but it also messages to the private sector “spend your resources elsewhere we have this covered” and in my opinion that will overall lower the level of security across the country.
The private sector in the US, as an example, outpaces the government in cybersecurity process, people, and technology. Training, expertise, insights, intelligence, etc. on the topic of cyber threats reign king in the private sector compared to what is in the US. Many times the classified US intel report on something is a combination of three or four private sector reports they’ve bought and pieced together with a picture of an Iranian and slapped a TS/SCI label on it. That sounds harsh. But it’s honestly that bad and worse sometimes. I have seen my own threat intelligence reports copy/pasted in full with no citation and had a classified label slapped on it and redistributed to the private sector as original work. That’s not saying the government doesn’t have amazing finds, cool people, great expertise, etc. but again – we must play to our strengths. Also private sector companies don’t get to say “see yea we can do this without you government.” Nope, many of the reasons private sector companies outpace the government today is largely in part to investments the government has made over the years into this space, the early years of their work in fields like incident response and threat intelligence, and collaborating with the private sector. Undoubtedly we are better together. But in claiming to do missions that the government cannot do you will destroy the ecosystem and competition amongst companies that drives innovation and expertise.
Which leaves me to the “should”. In my opinion governments should not be taking up a tactical cybersecurity mission such as network defense, incident response, deploying sensors in your networks, etc. especially in sectors that have a community or market. Not only is this deeply rooted in the “they can’t do it effectively anyway” commentary but it’s deeply rooted in my belief that tax payer companies should not be competing with tax paid entities when it lowers the overall value to the community. Where the USG as an example is developing amazing expertise it is also leaning on the very private sector cybersecurity firms that they run the risk of destroying. When there is no market somewhere there is absolutely a reason for governments to enter the discussion. If you look at what CISA did with state and local commissions around election security as an example – grand slam home run yes please do more of that. But hopefully that effort plus the private sector effort ongoing will lead to a vibrant market and community around election security that sees the government back out of that space and play more to the strategic and amplification role and responsibility they are fantastic at. In the same way in the ICS community, early DHS ICS-CERT did proactive work across the sector in ways that drove conversations at the executive level and tried to help showcase the issue. Now there’s a vibrant ICS security community and market and the butterfly effect and even unintended consequence of poor messaging or execution by government agencies like DHS/FBI/DOD could kill it.
So again I’ll ramble and say “should” the government take on this mission. No. I do not think they’ve shown they understand the requirements, the way to engage the community, the way to have us all play with a full hand, and do so in a way that isn’t taking feedback from the executives in public but is understanding the tactical mission players they are working with to be able to do it in a way that is going to lead us anywhere more productive. Said simply. They haven’t shown the maturity of understanding to even enter the discussion in a serious way. So no they shouldn’t take on the broad and complex mission of protecting the private sector from cyber attacks.
But something does have to change. There are many companies that don’t have the resources to do cybersecurity. Many cybersecurity markets get created around the top 10% and sometimes even the top 1% of companies wanting to invest in cybersecurity. In fairness, if the answer to “could” was “yes” to just take the problem and solve it I would be highly incentivized to say “yes” to the “should” regardless. I’d love this problem to be solved and focus my time and talent elsewhere. But that’s not the reality we live in. Yes we do need a more broad approach to cybersecurity and yes the government “should” have visibility into challenges and threats facing the private sector. A Congresswoman should be able to know that in her district a strategic foreign adversary is compromising a site that has the potential to impact her constituents. But we all need to be really thoughtful about levying the requirements we all have instead of trying to force an answer and pretend we all agree on the requirements. Pushing an agenda of the government protecting networks or deploying technology for remote access and visibility isn’t the answer. The answer in my opinion will revolve around a no kidding discussion of what the requirements are and working with government and the private sector to understand how to achieve those requirements being open to innovative and interesting approaches. Government can and should do work in the private sector, they should do it in partnership with private sector companies and vendors, it should be done in a way that helps build the ecosystem and sustainable approach. Grant programs (DOE’s CEDS now under CESER as an example) that are competitive bids to incentivize innovation and work in the private sector with help from governments – yes do more of that that’s awesome. But “We got this” is not a real answer and shouldn’t be. We should all explore incentives for companies while also exploring ways to hold maligned or incompetent actors accountable for choices that impact the community. I’m not anti-regulation as an example but let’s not try to regulate ourselves into a secure state let’s try to regulate away the things we know don’t work or can agree on as the basics. But the answer in my opinion should not be that governments message or attempt to do tactical network defense actions. I’ll end my rambling by stating unequivocally the answer regardless of the should is they are not equipped or capable to do it today anyway.