I recently sat down with Nicole Perlroth for a fascinating talk about cybersecurity and ways the public and private sectors should interact. Our discussion took place last week at CXO Summit Live in Silicon Valley at the iconic Hayes Mansion.
Nicole is the author of This is How They Tell Me The World Ends, and the former lead cybersecurity reporter at The New York Times. She spent a decade investigating some of the biggest cyber events of modern times before accepting an advisory role at CISA. In doing so, she established her cybersecurity expertise in both the public and private sectors.
Nicole’s current role at CISA grants her access to information often unavailable to the news media. For example, she shared details of the conflict in Ukraine, which is serving as a testing ground for cyberweapons. At the start of the invasion, she was concerned that Russian cyber teams would create incredible disruptions and cause widespread chaos. When this failed to occur, her colleagues questioned whether her initial response to the invasion was an overreaction. What was not publicly known was the sheer number of cyberattacks either delayed by the Russians or discovered and stopped before taking effect.
For example, on the subject of Russia infiltrating Ukrainian power stations, Perlroth said:
“We found out that they actually did infiltrate these Ukrainian substations. They didn't turn the power off immediately. They waited until April to time that attack for when things weren't going Russia's way. I suspect the Kremlin believed its own faulty intelligence – that they would have their puppet government installed in 48 to 72 hours. Why would they want to sabotage themselves by switching off the power? So they waited, and what happened? The Ukraine Cyber Defense Agency in collaboration with CISA and other Western allies and private companies sharing threat data discovered this attack before it could detonate.”
She followed this up by reminding attendees that the cyber technologies deployed in Ukraine today can be refined and redeployed in another hotspot tomorrow. This time the cyber defenders seem better prepared, but both sides of the conflict are learning lessons and refining strategies. Perlroth then spoke on the domestic issues facing public and private organizations in the United States.
Several factors make cooperation between the public and private sectors difficult in the U.S. The two share a complicated history, as demonstrated by the Edward Snowden NSA leaks. When private industries discovered the government exploiting backdoors into their infrastructure, it soured relations. A few years later, when massive ransomware attacks crippled JBS, Colonial Pipeline, and others, businesses wondered why the NSA wasn’t doing anything to stop the attacks. Nicole used this example to show how the NSA went from being viewed as an antagonist of the private industry to a failed protector. In truth, the private industry’s frustration toward the government for failing to protect critical infrastructure is largely misplaced.
This is because 85% of U.S. critical infrastructure is privately owned. The government has little ability to monitor or protect infrastructure that it does not control. Unfortunately, the private interests who own critical infrastructure often have inadequate cybersecurity measures in place. This leaves the government in a position where it has limited options. It can try to regulate cybersecurity policies for private industry or experiment with various incentives to encourage them to improve independently. Currently, the public sector is trying a bit of both.
On the regulatory side, CISA hopes to collaborate and form true partnerships with businesses to advance effective cybersecurity practices. Yet, CISA is not the only government agency advancing cybersecurity regulations, and U.S. critical infrastructure is in dire need of attention. In one surprising revelation, Perlroth mentioned that the Colonial Pipeline attack was three days away from shutting down U.S. manufacturing due to a diesel shortage.
For incentives, the government has laid the groundwork for using its power of the purse to cajole private industry compliance. Perlroth cites President Biden’s cyber Executive Order as a likely blueprint of things to come. Rather than regulating various industries, the federal government will set cybersecurity standards that organizations must meet to do business with them. If a company contracting with the government is breached because it failed to comply with standards, it will be barred from receiving future contracts.
Fortunately, businesses interested in collaborating with CISA can simply reach out to the agency. When CISA proposes new ideas for cyber legislation, they open the floor to public commentary and solicit feedback before moving forward. Perlroth said she believes we are ultimately headed toward a digital equivalent of the Sarbanes-Oxley Act. If so, private organizations may want to collaborate with the public sector on cybersecurity sooner rather than later.
I had a wonderful time discussing these and other fascinating issues with Nicole Perlroth. The twenty-five minutes we spent together were full of new revelations and introduced many topics worthy of their own discussion panels. True to the spirit of CXO Summit Live events, she brought a wealth of expertise and insider knowledge to share with the other attendees.
What to read next: