Cybersecurity is too big a job for governments or business to handle alone

• Business and government are exposing each other to an increasing range of cyber-risks.

• Current efforts to pool cybersecurity resources are limited in scope.

• Sharing threat intelligence is the first step to provide a clear cyberthreat picture.

The recent hack of network management company SolarWinds, which enabled bad actors to compromise a range of US government agencies and major corporations, has revealed a troubling truth: Business and government expose each other to significant cyber-risks because they are interconnected and rely on the same network of software vendors. That’s why the strategic response must involve more intense collaboration. Simply put, the threat of cyberattacks is too big a job for either government or business to tackle alone.

Cybersecurity complaints to the US Federal Bureau of Investigation more than tripled during the pandemic last year, while the average payment by victims of ransomware jumped 43% in the first quarter of 2021 from the preceding quarter. Attacks on the software supply chain are growing exponentially, and the burgeoning Internet of Things (IoT) and 5G wireless technology offer more vulnerabilities to exploit.

Governments have a broad view of potential threats through law enforcement and intelligence capabilities, but they tend to see things through a national security lens rather than commercial risk. Companies have firm- and sector-specific risk information and often enjoy better access to cybersecurity talent, but they can’t easily take an economy-wide view and may find themselves overwhelmed by state-sponsored attackers.

What’s needed is for both sides to pool their resources for a more concerted defence. Some of that is already happening. The US’s Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services, and the FBI warned in October 2020 that “malicious cyber actors” were targeting healthcare and public health institutions to make ransomware demands and disrupt health services. But such efforts tend to be the exception and come too late. Both sides need to intensify their collaboration and make it more proactive.

Senior officials recognize more needs to be done. FBI Director Christopher Wray called recently for government and the private sector to collaborate in an organized fight against cyber conspirators rather than parrying each individual attack. Chris Inglis, a former top National Security Administration official who President Biden has nominated to become the country’s first national cyber director, could make public-private collaboration a key element of the nation’s cyberstrategy.

Here are four ways that government and business can join forces in the battle for cybersecurity:

Governments and companies have different sources of information, insight and intelligence. Pooling them in a timely manner will create a clearer and more current picture of cyberthreats. Some exchanges are already taking place. The United Kingdom’s National Cyber Security Centre operates a Cyber Security Information Sharing Partnership with industry, while CISA has similar partnerships with US operators of critical infrastructure. Europol, the European Union’s law enforcement agency, has taken the concept a step further by creating a website where public and private entities can share decryption tools to recover from ransomware attacks without paying off thieves.

Such initiatives are valuable, but information-sharing isn’t yet consistent or timely enough. Corporate executives often feel that they provide data as needed, but government counterparts don’t reciprocate. Intelligence services frequently don’t want to disclose potential threats for fear of inundating companies with potential risks or revealing tradecraft secrets. And certain corporations may worry that disclosing cyber-related events could open their controls or cyber-risk management to unwelcome scrutiny, onerous regulation or penalties.

Both sides can build trust and deepen the cooperation. The recently announced Nationwide Cybersecurity Center collaboration with Google to provide cyber training to US state legislators and their staff represents the kind of initiative we need to see more of.

Governments, companies and other institutions around the world face a shortage of cybersecurity professionals estimated at more than 3 million – nearly as many as the estimated 3.5 million people currently working in the field. Arguably, there is labour capacity that could be marshalled here. The challenge is twofold: attracting more people to retrain in cybersecurity, and ensuring that curricula enable students and trainees to keep pace with fast-changing threats.

The US government’s National Initiative for Cybersecurity Education recently revised its framework for developing talent so schools can provide more relevant instruction and companies can be sure that graduates have the necessary competencies. The UK’s National Cyber Security Centre created CyberFirst, which offers everything from university financial assistance and apprenticeships to summer programmes to attract young people to the field.

The Cybersecurity Workforce Alliance, which was founded by major financial institutions, the City University of New York (CUNY), and workforce development specialist iQ4, boasts over 2,700 members from industry, academia, and government, and aims to provide internships to more than 10,000 US students through 2022. The New York City Economic Development Corp has teamed up with local businesses and universities to create cyber degree programs and an accelerator to foster the growth of start-ups in the space. More such efforts are needed, though, to plug the cyber talent gap.

Even the best cyber defence is likely to be cracked. That’s why effective organizations have well-rehearsed plans in place to deal with attackers.

Several nations provide forums where government and business collaborate in response to cyberattacks. In the US, CISA’s National Cyber Incident Response Plan defines cyber defence as a “shared responsibility” of individuals, the private sector and government, spells out the roles government departments will play in responding to attacks, and commits federal officials to safeguarding the privacy and intellectual property of companies. The UK’s National Cyber Security Centre, an arm of the GCHQ intelligence agency, coordinates similar responses and sets out which private-sector cyber specialists it will collaborate with.

Such plans should include real training exercises, not just role-playing discussions. The financial sector provides a good example here. The Securities Industry and Financial Markets Association has been conducting cybersecurity exercises since 2011. The latest Quantum Dawn V exercise, in November 2019, brought together more than 150 financial firms and 50 regulatory bodies across 19 countries to practise responding to a simulated ransomware attack on systemically important institutions and a financial markets utility. The key takeaways: The industry should create a directory of key players and personnel, and strengthen cross-border sharing of information among firms, trade associations and regulators like central banks.

More such exercises need to be done. Threat factors vary by commercial sector, and the more governments can learn about what matters and to whom, the better prepared officials will be to gather valuable threat intelligence.

Human error, such as falling for a phishing attack and downloading malware, is involved in 95% of successful cyberattacks. We can’t eliminate that vulnerability, but we should be able to reduce it by building better security into technology devices in the first place – something many tech firms overlook or ignore in the rush to bring new products and services to market.

Australia’s eSafety Commissioner, the world’s first government agency devoted to increasing public awareness and education about cyber-risks, convened representatives of industry, government, consumer advocates, and non-profits in 2019 to agree on a set of principles for increasing the inherent safety of online services. Prime among them is the idea that safety should never be the sole responsibility of the consumer, and that companies mitigate risk factors for all users before releasing services to the public. In December, the US adopted legislation requiring the government to set higher standards for the security of IoT devices.

Other nations should follow those leads. The ultimate goal would be the cyber equivalent of the British Standards Institution’s Kitemark, a designation showing that everything from electrical appliances to mobile devices meet safety standards.

As technology’s role in society increases, cybersecurity will become an ever-greater challenge. Governments and the private sector have a shared interest and responsibility to face that threat together.