Shifting relationships: From need to know to shared info and norms
Ecosystems are by definition composed of relationships. So, securing an ecosystem requires using those relationships to share information and set norms of behavior. This can be a significant shift for government agencies used to restricting sensitive data to only those with a “need to know.” But the shift toward greater sharing and collaborative decision-making is underway at every level.
Some ecosystems are formed at the international level, while others are limited to a specific country or a region. One example of international collaboration is CSIRTAmericas, a community of computer security incident response teams in the Americas region. Through sharing information and knowledge, often in real time, this group has put up a united response to emergencies such as the COVID-19 pandemic and the Wannacry ransomware attack.9
At the national level, organizations in the Netherlands drawn from government, business, the knowledge sector, and higher education have come together to form the Hague Security Delta, a cooperative body working for innovation in security.10 In the United States, the Multi-State Information Sharing and Analysis Center (MS-ISAC) enrolled its 10,000th government organization in November 2020, a rise of about 9,000 organizations in the last seven years. MS-ISAC, a network of state, local, and territorial governments, is set up to exchange knowledge on the latest cyberthreats, share cyber hygiene practices, and get cyber risk assessment.11
At the local level, partners such as City National Bank, IBM, AT&T, Cedars-Sinai, and the City of Santa Monica have formed the Los Angeles Cyber Lab’s Threat Intelligence Sharing Platform, which collects information on cyberthreats from participants. Members can share this data anonymously for analysis and comparison. The lab uses the information to provide threat intelligence and trend analysis to all members, including smaller businesses that lack the capacity to track threats on their own.12
Shifting human capital: From my talent to our talent
Greater collaboration in an ecosystem results in more and varied types of systems, data, and tools being used within an organization. That requires technology talent with broader skills than most single organizations can provide. Fortunately, ecosystems can also help governments gain access to the right talent with the right skills. An ecosystem comprising academia and industry can help governments plug their cybersecurity talent gaps by creating a thriving, common cyber talent market rather than looking only for their own needs.
Israel offers cybersecurity training at all levels of its educational system, starting in middle school and continuing through graduate school, where students can earn PhDs in cybersecurity.13
Cybersecurity training initiatives in the United States have focused on higher education. For example, the National Institute of Standards and Technology awarded a grant to Florida International University, supporting programs designed to train cybersecurity talent to work in state and local positions, national businesses, and the US government.14 The University of Buffalo received a US$2.39 million grant from the National Science Foundation to train future cybersecurity experts.15 The US Department of Homeland Security offers grants and partnership opportunities focused on cybersecurity for both K-12 schools and institutes of higher education, through the agency’s Science and Technology division.16
US-based Cybersecurity Talent Initiative—a partnership between federal agencies, academia, and the private sector—chooses students drawn from relevant fields for two-year placements with federal agencies that have cybersecurity needs. Toward the end of that service, students can apply for full-time jobs with private sector companies that participate in the program.17 To partner with the private sector, the United Kingdom has embraced the technology accelerator model, creating the Defense and Security Accelerator to identify and fund cybersecurity innovation both within and outside the government.18
Competitions and prizes
Governments also use competitions to take advantage of cybersecurity capabilities outside their own workforces. One popular model is the bug bounty program, in which governments challenge pre-vetted hackers to find vulnerabilities in their networks, and reward them for each bug they find. The United States’ first major bug bounty initiative, Hack the Pentagon, drew more than 1,400 competitors. Once the competition started, it took just 13 minutes to identify the first bug.19
Singapore’s Ministry of Defense ran a bug bounty program in early 2018 that identified 35 bugs; its top prize to an individual was S$2,000. During a separate competition that the Singapore government ran in December of that year, competitors helped to fix 26 bugs and received a total of just under S$12,000 in awards.20
Shifting operations: From keep at bay to always verify
As government organizations start working within large ecosystems, they should also shift their operations to keep pace. The sheer number of interconnections in an ecosystem means that old models of security built on keeping threats at bay outside of networks simply do not work. Rather, security is beginning to shift toward models such as zero trust that assume breaches exist and look to verify that activity is authentic.
The impact of COVID-19 and the subsequent rapid shift to remote work accelerated the adoption of zero-trust models. One Deloitte survey of nearly 600 IT professionals found that 37% saw an acceleration in the adoption of zero trust due to COVID-19.21
And that initial interest is spreading. In the United States, 44 federal agencies have created dedicated teams with line-item funding to either do research in zero-trust or start implementing it.22 In the United Kingdom, the National Cyber Security Centre has released a beta version of its zero-trust principles on GitHub,23 which external organizations can use as a guide while developing their own information systems and networks.24
In this light, the adoption of zero-trust networks is not just another tool in the cybersecurity toolbox; rather, it is an important signal of government adjusting to its new role in cyber ecosystems.
- Australia’s federal government plans to invest A$1.35 billion in cybersecurity over the next decade.25
- The US federal government’s demand for vendor-based information security products and services is expected to increase from US$11.9 billion in FY2019 to US$15.4 billion in FY2024, growing at a compound annual growth rate of 5.3%.26
- Seventy-six percent of US state chief information security officers believe that a centralized model can most effectively improve the cybersecurity function.27
Increase access to cutting-edge tools and technologies. Connecting with a wide array of partners—service providers, government agencies, academia, private industry—can help keep the government at the cutting edge of cyber tools, technologies, and best practices.
Scale the sharing of threat information. Coordinating with ecosystems across levels of government and with other countries can ensure government access to the newest threat indicators, and that leading practices are in place.
Grow your pool of leading talent. Tapping into a wider cyber talent ecosystem can expand access to the right skills.
Inculcate a zero-trust mindset. Cybersecurity needs a seat at the table, whether that be in executive decisions on new investments or operations in the form of DevSecOps.