Analysis & Opinions - War on the Rocks

Building a Regional, Right of Boom Cyber Defense Network

| June 07, 2022

The invasion of Ukraine thrust the Cybersecurity and Infrastructure Security Agency into public consciousness as the nation’s key cyber security risk advisor during a time of heightened risk. Congress recently passed legislation requiring critical infrastructure operators to notify the agency of security breaches, bringing it into closer contact with the private sector. This development builds on positive momentum for the agency, following a series of executive orders that expanded its authority and created a specific Joint Cyber Defense Collaborative to share information about threats between the public and private sectors. Nearly four years after its creation, the agency now has more visibility into the risks the country is facing and more resources at its disposal to combat them.

But to capitalize on this momentum toward greater public-private partnership, the agency should deepen its engagement with smaller organizations in the private sector and at the state and local levels. In our research, many private sector stakeholders described difficulties working with the federal government on cyber security issues: They didn’t know whom to speak with, and, even when they had a point of contact, did not always get the results they hoped for. What’s more, they sometimes worried about sharing information with federal law enforcement that would subject them to liability. The federal government also has concerns of its own. Private companies and state or municipality-run utilities often lack the resources and financial incentives to implement needed cyber security measures.

These systemic issues were highlighted in a recent three-hour phone call between senior Cybersecurity and Infrastructure Security Agency officials and over 13,000 private-sector cyber security professionals. Both agency director Jen Easterly and the stakeholders on the call noted the urgent need to better work with local and regional partners. And while the Joint Cyber Defense Collaborative is bringing the largest companies together with Cybersecurity and Infrastructure Security Agency, it is still only virtual collaboration.

In short, there is still a degree of distrust and distance preventing the government and private sector from working together to defend America’s cyber infrastructure. To overcome this, we recommend a more regional focus. The agency should start by bolstering its 10 existing regional offices with the $8 million in funding recommended for the agency’s FY2023 budget. This would bring more capabilities and presence into the field to build trusted relationships, increase information sharing, and focus on right of boom, or post-disaster, mitigation efforts.

For more information on this publication: Belfer Communications Office
For Academic Citation: Kennis, Graham and Lauren Zabierek .“Building a Regional, Right of Boom Cyber Defense Network.” War on the Rocks, June 7, 2022.