Chapter 9: Operationalize Cybersecurity Collaboration with the Private Sector

This pillar attempts to operationalize cybersecurity collaboration with the private sector by organizing and focusing US government efforts on areas where they can have an outsized impact.

STRATEGIC OBJECTIVE #1: IMPROVE GOVERNMENT SUPPORT TO PRIVATE SECTOR OPERATIONS
The federal government has limited resources and capabilities, and should prioritize the defense of systemically important critical infrastructure. And while steps have been taken, the effort falls short of codifying or fully implementing the social contract of shared responsibility and partnership in cybersecurity.

Key Recommendation: Congress should codify the concept of ‘systemically important critical infrastructure,’ whereby entities responsible for systems and assets that underpin national critical functions are ensured the full support of the US government and shoulder additional security requirements consistent with their unique status and importance.

Both the private sector and the US government have a vested interest in protecting these systems (SICI entities). The US government must be assured that these companies are taking their security responsibilities seriously, and private sector entities should likewise trust that the US government is fully leveraging its unique authorities and resources to support their security operations.

Enabling Recommendations:

Review And Update Intelligence Authorities to Increase Intelligence Support to the Broader Private Sector. The review should:

• Examine US foreign intelligence surveillance authorities to identify and address limitations in collection for cyber defense missions supporting private sector stakeholders.
• Review policies to identify limitations in the intelligence communities ability to share threat intelligence information with the private sector.
• Review cyber related information-sharing consent processes, including consent to monitor agreements, and assess gaps and opportunities for greater standardization and simplification while ensuring privacy and civil liberty protections.

Strengthen and Codify Processes for Identifying Broader Private Sector Cybersecurity Intelligence Needs and Priorities

• Congress should therefore direct and resource the federal government to establish a formal process to solicit and compile private sector input to inform national intelligence priorities, collection requirements, and more focused US intelligence support to private sector cybersecurity operations.

Empower Departments and Agencies to Serve Administrative Subpoenas in Support of Threat and Asset Response Activities

STRATEGIC OBJECTIVE #2: IMPROVE COMBINED SITUATIONAL AWARENESS OF CYBER THREATS
The US government must create the structures and processes to work with private sector entities that have unique insights of their own and a different view of threats impacting domestic and critical infrastructure.

Key Recommendation: Congress should establish and fund a Joint Collaborative Environment, a common and interoperable environment for the sharing and fusing of threat information, insight, and other relevant data across the federal government and between the public and private sectors.

There are still significant limitations on the government’s ability to develop a comprehensive picture of threat. They need to take steps to shift the burden of integration onto itself, establishing the mechanisms and enforceable procedures to build the situational awareness necessary for its own operations and for forging true operational collaboration with the private sector.

Therefore, the government should establish a “Joint Collaborative Environment”, a common cloud-based environment in which the federal government’s unclassified and classified cyber threat information, malware forensics, and network data from monitoring programs are made commonly available for query and analysis — to the greatest extent possible.

The program would make real the promise of a “whole of government” and public-private approach to cybersecurity, ensuring that network data, cyber threat intelligence, and malware forensics from each department or agency and the private sector are available at machine speech for comprehensive detection and analysis; should support federal cyber centers, an integrated cyber center at CISA, and a planning cell under CISA.

Enabling Recommendations:

Expand and Standardize Voluntary Threat Detection Programs

• The US government should take steps, through the Joint Collaborative Environment’s interagency council, to expand and more centrally fund, manage, and deploy these programs and ensure their interoperability with broader federal cyber threat-sharing and integration efforts.

Pass a National Cyber Incident Reporting Law

• As of now, the federal government lacks a mandate to systematically collect cyber incident information reliably and at the scale necessary to inform situation awareness. To address this, Congress should authorize DHS & DOJ to establish requirements for critical infrastructure entities to report cyber incidents to the federal government. In crafting this, DHS & DOJ should collaborate with public and private sector entities to identify the types of critical infrastructure entities to which it should apply.

Amend the Pen Register Trap and Trace (PRTT) Statute to Enable Better Identification of Malicious Actors

• Amending this would allow an avenue for defenders to receive information about attackers that is currently restricted to “Electronic Communication Providers”.
• To reduce ambiguity and allow the private sector a broader range of defensive techniques, Congress should amend 18 US Code 3121 (PRTT Statute), to help enable certain “active defense” activities. It would allow cyber companies to conduct more effective identifying activities on behalf of their companies or customers.

STRATEGIC OBJECTIVE #3: INTEGRATE PUBLIC AND PRIVATE SECTOR CYBER DEFENSE EFFORTS
Current federal government operations to defend against cyberattacks are decentralized and tend to be uncoordinated, leading to inefficiencies and the lack of a coherent, strategic approach to defend the nation. Therefore, the interests of critical infrastructure providers and parts of the private sector that are key to cyber defense are not always adequately incorporated into these defensive operations because of a lack of institutionalized processes and procedures for collaboration with federal agencies and a dearth of threat information

Key Recommendation: Congress should direct the executive branch to strengthen a public-private, integrated cyber center within CISA in support of the critical infrastructure security and resilience mission and to conduct a one year, comprehensive systems analysis review of federal cyber and cybersecurity centers, including plans to develop and improve integration.

The review should address the following:

• Strengthening CISA’s public-private integrated cyber center
• Identifying areas of integration and collocation
• Supporting the national security agency’s Cybersecurity Directorate (CSD)
• Assessing centralized, collocated public-private collaboration
• Increasing public-private sector integration

Key Recommendation: The executive branch should establish a Joint Cyber Planning Cell under the Cybersecurity and Infrastructure Security Agency to coordinate cybersecurity planning and readiness across the federal government and between the public and private sectors for significant cyber incidents and malicious cyber campaigns.

Effective planning is critical in this plan, and to address this shortcoming, the executive branch should establish a Joint Cyber Planning Cell under CISA that will facilitate comprehensive planning of defensive, non-intelligence cybersecurity campaigns across agencies.

Enabling Recommendations:

Institutionalize Department of Defense Participation in Public-Private Cybersecurity Initiatives

Expand Cyber Defense Collaboration with Information and Communications Technology (ICT) Enablers