Article
10 minute read 04 March 2021

Government’s broader role in cyber

How governments are adjusting to help secure cyber ecosystems

Amry Junaideen

Amry Junaideen

United States

Andrea Rigoni

Andrea Rigoni

Italy

Hokkie Blogg

Hokkie Blogg

Netherlands

Joe Mariani

Joe Mariani

United States

Governments have long recognized the necessity of cybersecurity in their networks—but now they may need to expand their focus to the entire cybersecurity ecosystem. Here’s why.

Talk of collaboration and ecosystems in cybersecurity is nothing new. However, the events of the past year—supply chain attacks, the rapid shift to cloud, the adoption of remote work, and more—have made it clear that while governments is already operating in those ecosystems, their approach to security has yet to catch up.

The move toward participating in cybersecurity ecosystems has been accelerating, driven largely by access to better tools or a greater variety of skills. For example, in 2020, 60% of states outsourced cyberthreat assessments, compared with just 43% two years earlier.1 However, recent events such as the wide-ranging hack of the US government and commercial vendors show the difficulties of living in a networked ecosystem.2 In the connected world, vulnerabilities of one organization can threaten its partners, clients, and even an entire industry. Attacks can scale dramatically, moving quickly between public and private networks. For example, the WannaCry ransomware attack of 2017 compromised more than 300,000 machines across 150 countries, including those of the United Kingdom’s National Health Service.3

So, what can government do to keep all the advantages of participating in ecosystems while mitigating the risks? A shift in government’s role in cybersecurity is the answer. No longer are governments content just to protect their own networks; many are beginning to take larger roles in coordinating security across public-private ecosystems.

The shifting role of government in cybersecurity

The government cannot function in isolation. As such, there is a growing realization within governments that in order to mount a proper national cyber defense, their role should expand from just securing public networks to helping to secure both public and private networks. Many governments across the world are already moving in this direction. Launched in 2016, the United Kingdom’s National Cyber Security Centre was created to provide a unified national response to cyberthreats and attacks.4 The center provides cybersecurity support to the public sector, the private sector, including small and medium enterprises, and the general public.5 The center supported 723 incidents in the last year and also launched a suspicious-email reporting service for the general public, which flagged 2.3 million suspicious emails and removed 22,000 malicious websites in just four months.6

The same realization of shared vulnerabilities in a cyber ecosystem drove the US Department of Defense (DoD) to release the Cybersecurity Maturity Model Certification (CMMC), which acts as a unified standard for implementing cybersecurity across the 300,000 companies of the Defense Industrial Base.7 CMMC is a cyber control and compliance framework that requires third-party analysis of the cyber controls for DoD contractors and subcontractors’.8

But the shifting role of government in cybersecurity is not without friction. To become effective in these new roles, governments must shift how they manage relationships, talent, and even internal operations.

Shifting relationships: From need to know to shared info and norms

Ecosystems are by definition composed of relationships. So, securing an ecosystem requires using those relationships to share information and set norms of behavior. This can be a significant shift for government agencies used to restricting sensitive data to only those with a “need to know.” But the shift toward greater sharing and collaborative decision-making is underway at every level.

Some ecosystems are formed at the international level, while others are limited to a specific country or a region. One example of international collaboration is CSIRTAmericas, a community of computer security incident response teams in the Americas region. Through sharing information and knowledge, often in real time, this group has put up a united response to emergencies such as the COVID-19 pandemic and the Wannacry ransomware attack.9

At the national level, organizations in the Netherlands drawn from government, business, the knowledge sector, and higher education have come together to form the Hague Security Delta, a cooperative body working for innovation in security.10 In the United States, the Multi-State Information Sharing and Analysis Center (MS-ISAC) enrolled its 10,000th government organization in November 2020, a rise of about 9,000 organizations in the last seven years. MS-ISAC, a network of state, local, and territorial governments, is set up to exchange knowledge on the latest cyberthreats, share cyber hygiene practices, and get cyber risk assessment.11

At the local level, partners such as City National Bank, IBM, AT&T, Cedars-Sinai, and the City of Santa Monica have formed the Los Angeles Cyber Lab’s Threat Intelligence Sharing Platform, which collects information on cyberthreats from participants. Members can share this data anonymously for analysis and comparison. The lab uses the information to provide threat intelligence and trend analysis to all members, including smaller businesses that lack the capacity to track threats on their own.12

Shifting human capital: From my talent to our talent 

Greater collaboration in an ecosystem results in more and varied types of systems, data, and tools being used within an organization. That requires technology talent with broader skills than most single organizations can provide. Fortunately, ecosystems can also help governments gain access to the right talent with the right skills. An ecosystem comprising academia and industry can help governments plug their cybersecurity talent gaps by creating a thriving, common cyber talent market rather than looking only for their own needs. 

Education institutions

Israel offers cybersecurity training at all levels of its educational system, starting in middle school and continuing through graduate school, where students can earn PhDs in cybersecurity.13

Cybersecurity training initiatives in the United States have focused on higher education. For example, the National Institute of Standards and Technology awarded a grant to Florida International University, supporting programs designed to train cybersecurity talent to work in state and local positions, national businesses, and the US government.14 The University of Buffalo received a US$2.39 million grant from the National Science Foundation to train future cybersecurity experts.15 The US Department of Homeland Security offers grants and partnership opportunities focused on cybersecurity for both K-12 schools and institutes of higher education, through the agency’s Science and Technology division.16

Public-private partnerships 

US-based Cybersecurity Talent Initiative—a partnership between federal agencies, academia, and the private sector—chooses students drawn from relevant fields for two-year placements with federal agencies that have cybersecurity needs. Toward the end of that service, students can apply for full-time jobs with private sector companies that participate in the program.17 To partner with the private sector, the United Kingdom has embraced the technology accelerator model, creating the Defense and Security Accelerator to identify and fund cybersecurity innovation both within and outside the government.18

Competitions and prizes

Governments also use competitions to take advantage of cybersecurity capabilities outside their own workforces. One popular model is the bug bounty program, in which governments challenge pre-vetted hackers to find vulnerabilities in their networks, and reward them for each bug they find. The United States’ first major bug bounty initiative, Hack the Pentagon, drew more than 1,400 competitors. Once the competition started, it took just 13 minutes to identify the first bug.19

Singapore’s Ministry of Defense ran a bug bounty program in early 2018 that identified 35 bugs; its top prize to an individual was S$2,000. During a separate competition that the Singapore government ran in December of that year, competitors helped to fix 26 bugs and received a total of just under S$12,000 in awards.20

Shifting operations: From keep at bay to always verify

As government organizations start working within large ecosystems, they should also shift their operations to keep pace. The sheer number of interconnections in an ecosystem means that old models of security built on keeping threats at bay outside of networks simply do not work. Rather, security is beginning to shift toward models such as zero trust that assume breaches exist and look to verify that activity is authentic. 

The impact of COVID-19 and the subsequent rapid shift to remote work accelerated the adoption of zero-trust models. One Deloitte survey of nearly 600 IT professionals found that 37% saw an acceleration in the adoption of zero trust due to COVID-19.21

And that initial interest is spreading. In the United States, 44 federal agencies have created dedicated teams with line-item funding to either do research in zero-trust or start implementing it.22 In the United Kingdom, the National Cyber Security Centre has released a beta version of its zero-trust principles on GitHub,23 which external organizations can use as a guide while developing their own information systems and networks.24

In this light, the adoption of zero-trust networks is not just another tool in the cybersecurity toolbox; rather, it is an important signal of government adjusting to its new role in cyber ecosystems.

Data signals

  • Australia’s federal government plans to invest A$1.35 billion in cybersecurity over the next decade.25
  • The US federal government’s demand for vendor-based information security products and services is expected to increase from US$11.9 billion in FY2019 to US$15.4 billion in FY2024, growing at a compound annual growth rate of 5.3%.26
  • Seventy-six percent of US state chief information security officers believe that a centralized model can most effectively improve the cybersecurity function.27

Moving forward

Increase access to cutting-edge tools and technologies. Connecting with a wide array of partners—service providers, government agencies, academia, private industry—can help keep the government at the cutting edge of cyber tools, technologies, and best practices.

Scale the sharing of threat information. Coordinating with ecosystems across levels of government and with other countries can ensure government access to the newest threat indicators, and that leading practices are in place.

Grow your pool of leading talent. Tapping into a wider cyber talent ecosystem can expand access to the right skills.

Inculcate a zero-trust mindset. Cybersecurity needs a seat at the table, whether that be in executive decisions on new investments or operations in the form of DevSecOps.

 

  1. Srini Subramanian and Meredith Ward, 2020 Deloitte–NASCIO Cybersecurity Study , Deloitte Insights, October 14, 2020.View in Article
  2. Kari Paul and Lois Beckett, “What we know—and still don’t—about the worst-ever US government cyber-attack ,” The Guardian, December 19, 2020.View in Article
  3. Heather Landi, “Report: 40% of healthcare organizations hit by WannaCry in past 6 months ,” FIERCE Healthcare, May 29, 2020; Matthew Field, “WannaCry cyber-attack cost the NHS £92m as 19,000 appointments cancelled ,” Telegraph, October 11, 2018.View in Article
  4. UK Information Commissioner’s Office, “The role of the National Cyber Security Centre (NCSC) ,” accessed January 21, 2021.View in Article
  5. UK National Cybersecurity Centre, “About the NCSC ,” accessed January 21, 2021.View in Article
  6. UK National Cybersecurity Centre, “NCSC defends UK from more than 700 cyber attacks while supporting national pandemic response ,” accessed January 21, 2021.View in Article
  7. Josh Fruhlinger, “Top cybersecurity facts, figures and statistics ,” CSO Online, March 9, 2020.View in Article
  8. Deloitte, “Cybersecurity Maturity Model Certification (CMMC) ,” accessed January 21, 2021.View in Article
  9. Belisario Contreras, “3 ways governments can address cybersecurity in the post-pandemic world ,” World Economic Forum, June 29, 2020.View in Article
  10. The Hague Security Custer, “The Dutch security cluster ,” accessed January 21, 2021; The Hague Security Custer, “Partners ,” accessed January 21, 2021.View in Article
  11. Benjamin Freed, “MS-ISAC hits 10,000 members, eyes continued growth with local governments ,” StateScoop, November 20, 2020.View in Article
  12. LA Mayor, “Mayor Garcetti launches country’s first city-developed threat sharing platform and public cybersecurity mobile app ,” September 17, 2019.View in Article
  13. Gil Press, “6 Reasons Israel became a cybersecurity powerhouse leading the $82 billion industry ,” Forbes, July 18, 2017.View in Article
  14. NIST, “NIST and Florida International University join forces on cybersecurity education outreach ,” April 4, 2018.View in Article
  15. Cory Nealon, “UB awarded $2.39 million to train future cybersecurity experts ,” UB Now, September 5, 2018.View in Article
  16. Erika Gimbel, “U.S. Government taps into nation’s colleges for cybersecurity expertise ,” EdTech, January 3, 2019.View in Article
  17. Jessie Bur, “Cyber talent program places its first class of new feds ,” Federal Times, September 2, 2020.View in Article
  18. Gov.UK, “£1-million innovation funding to predict and counter cyber-attacks ,” accessed January 21, 2021.View in Article
  19. Susan Miller, “Government leads the way in crowdsourced security ,” GCN, July 13, 2018.View in Article
  20. Crowdswarm, “Singapore Government Tries a Second, Expanded Bug Bounty ,” July 3, 2019.View in Article
  21. Deloitte, “Zero trust: Never trust, always verify ,” September 2, 2020.View in Article
  22. Forcepoint, “Blueprint for zero trust in a remote world ,” accessed January 21, 2021.View in Article
  23. UK National Cyber Security Center, “Zero trust principles—beta release ,” October 29, 2020.View in Article
  24. Github, “Zero trust architecture design principles ,” accessed January 21, 2021.View in Article
  25. Jade Macmillan, “Cybersecurity spending gets $1.35 billion boost in wake of online attacks against Australia ,” ABC News, June 29, 2020.View in Article
  26. GovWin, “Federal information security market, 2019-2024 ,” October 30, 2019.View in Article
  27. Subramanian and Ward, 2020 Deloitte–NASCIO Cybersecurity Study .
    View in Article

 

The authors like to thank Pankaj Kishnani and Akash Keyal from the Deloitte Center for Government Insights for driving the research and development of this trend.

The authors would also like to thank Thirumalai Kannan D for his research contributions and Adam Routh and Mahesh Kelkar for their insights and thoughtful feedback on the drafts.

Cover image by: Lucie Rice

 

Government & Public Services Cyber Risk

Digital transformation, enabling technologies, and connected communities are creating a new horizon of opportunities for enhanced government impact and citizen engagement. With these come new business models, expanded data management and access requirements, and technology modifications—all with varying risks. Deloitte collaborates with organizations to provide deeper insight into addressing cyber risks while promoting innovation and program impact.

Amry Junaideen

Amry Junaideen

Subscribe

to receive more business insights, analysis, and perspectives from Deloitte Insights