- The Biden administration has already made significant moves to address cybersecurity problems.
- The American Rescue Plan allocated $200 million toward cybersecurity hiring.
- There is currently no federal law that requires companies to disclose cyber breaches.
The ongoing spate of ransomware attacks that have taken place over the past year underscores the need for better cooperation and information sharing between the federal government and private sector companies, cybersecurity experts say.
From last year's SolarWinds data breach to the more recent Colonial Pipeline and Kaseya hacks, cyberthreats show no signs of abating. But with the right partnerships in place and robust cooperation and transparency among companies and the government, the disruption and damage they cause can be reduced.
Cyber experts note that the Biden administration has already made significant moves to address this growing problem. More money has been directed towards agencies such as the Cybersecurity and Infrastructure Security Agency and the General Services Administration's Technology Modernization Fund. In May, Biden signed an executive order with new federal cybersecurity guidelines, including, among other measures, the creation of a cybersecurity safety review board for examining the aftermath of data breaches and cyberattacks.
On Wednesday, the CEOs of Amazon, Apple, and Microsoft are set to meet with Biden at the White House to discuss cybersecurity. The meeting will reportedly focus on how the private sector and government can better work together to detect and prevent further attacks, especially those that affect critical infrastructure services.
"We know we can't stop every cyber attack out there, but if we can get to a point where the number of victims is far fewer then it's a much more manageable situation," said Jamil Farshchi, chief information security officer at Equifax. "We can't do that without a strong partnership with the government and being able to have information sharing across all different industries."
Among the more urgent needs to enable greater transparency between the private sector and the federal government is more cyber talent.
The American Rescue Plan passed in March allocated $200 million toward tech hiring, notes Dan Schiappa, chief product officer at cybersecurity firm Sophos. "Approximately one in three cybersecurity roles in the public sector are still unfilled," he says. "That's about 33,000 jobs and with a CISA vetting process that can take up to a year for new hires, there's no time to waste."
To speed this process up, Schiappa says the Biden administration should streamline processes like background checks to get qualified people into those roles more quickly. This would apply to both long-time public servants as well as private-sector hires who bring skills the federal government needs.
Getting the necessary cyber talent in the private sector is going to take more than expanding the pipeline, says Simone Petrella, co-founder and CEO of CyberVista, a cybersecurity workforce development company.
"There are currently about 460,000 open jobs in cybersecurity and waiting to get more talent into the field isn't going to make a dent in this need," she says. Instead, companies should be identifying employees with foundational IT talent that can be upskilled into cybersecurity roles.
"Someone in a general IT role already understands networks, they know how to do privileged access, so you can train them in security technical skills," Petrella says.
The other thing employers can do, she adds, is to be more open-minded about bringing on entry-level talent.
"This is more of a long-term people growth strategy that focuses on providing them with the job skills training they need in a measurable and meaningful way," Petrella says. "Companies need to spend the time to inventory their cyber roles and really understand specifically what you need this talent to do."
Better coordination and transparency between federal agencies and private sector companies would also go a long way in potentially preventing breaches in the first place.
"For a long time organizations have been providing information to the government," Farshchi says. "The problem is that we rarely get anything back, so it feels a bit like a black hole. It needs to be a two-way street."
Farshchi says a better model would have the government take in the information it receives from the private sector and then share it with organizations that might be at risk. "In most of these cases, the attacker will go after multiple firms with the same kind of attack," Farshchi says. "If the government is able to share this information in rapid, real-time, I can put in the defensive measures needed to be able to stop that attack from being successful within my own organization."
Taking it a step further would require companies to disclose data breaches when they happen. As Schiappa points out, there is currently no federal disclosure requirement for breaches, and as a result "companies have to follow a confusing maze of state laws and industry compliance requirements," he says. "A single federal law mandating breach reporting would streamline all of this."
Things are heading in that direction. In July, Sens. Mark Warner, D-Va., Marco Rubio, R-Fla., and Susan Collins, R-Maine, introduced a bill that would require some private-sector companies to disclose cyber attacks. These include organizations that work with the government or provide critical infrastructure services. In return, it would protect these companies from some of the potential negative impact of revealing an attack, such as being sued by shareholders.
Beyond this public-private partnership, some experts say ultimately, cybersecurity problems can't be solved without better consumer education.
"If consumers don't know how to spot threats, how can they protect their personal information or keep their identities safe?" says Farshchi. "Nearly 99% of today's cyber events are the result of a failure of fundamentals. And like in any sport, if you're not great at the fundamentals, you'll lose."