NYCTF report sheds light on policymakers, industry leaders collaborating to build trust amid increasing cyber threats
The New York Cyber Task Force (NYCTF) published Monday a report that provides insight into how policymakers and industry leaders can cultivate collaboration and foster trust in the face of growing threats to the U.S. digital landscape. The report examines recent high-profile cyber incidents, such as SolarWinds, Colonial Pipeline, and Shields Up, to evaluate the private sector’s perspective on operational collaboration. It uses these case studies to examine key gaps and identify points of leverage to improve how the government and industry work together.
Titled ‘Bridging the Trust Gap,’ the NYCTF “report captures the scale of the cyber threat, providing policymakers and industry leaders actionable and timely insights for how they can collaborate and foster trust to protect our digital landscape from malicious actors,” Keren Yarhi-Milo, dean for the School of International and Public Affairs (SIPA) and Adlai E. Stevenson, professor of International Relations at Columbia University, wrote in the NYCTF report. “The task force has captured the voices of experts and industry practitioners who are not only leading scholars of cybersecurity but also leading policymakers who have steered through some of the most notable cyber attacks of recent times,” they added.
The NYCTF is a collaborative organization under the auspices of Columbia University’s SIPA that brings together experts from academia, industry, and government agencies.
Over the past year, the NYCTF convened cybersecurity leaders and practitioners and conducted extensive interviews to investigate different perspectives on the case studies and the current and future state of operational collaboration. The task force report provides implementable policy recommendations to improve trust and operational collaboration between industry and government at scale.
The NYCTF report identifies several key findings about operational collaboration that are common across all three cases, as well as those that are specific to the case studies. In general, the report identified that there has been significant progress in operational collaboration over the past decade; challenges of trust in the government are enduring and multifaceted, lacking a ‘whole-of-society’ approach. It is carefully cultivated over time, varies by context, and depends on grassroots, interpersonal, and working relationships.
Additionally, the government faces challenges of effective crisis communication and coordination of messaging to the private sector. There is uncertainty within the private sector about how a growing regulatory footprint will affect operational collaboration, effective operational collaboration often depends on size and maturity level, which is mismatched with the expectation that the government treats all companies equally.
“Across the three cases we examined, many agreed that the government appears to be learning. SolarWinds largely manifested as an issue of trust; Colonial Pipeline was primarily a challenge of transparency; and Shields Up contained issues of unclear objectives and audiences,” according to the NYCTF report. “A maturation is taking place over time across the three cases, demonstrating that the federal government is learning and adapting at a relatively rapid pace.”
At the same time, despite the consensus that collaboration has improved, across all three case studies most interviewees identified gaps and issues that have persisted for some time, the report identified. “Much of the sentiment about improved collaboration appears to reflect an assessment that the government is taking the concept seriously (or that it is using the term in the first place, in lieu of ‘information sharing’), but gaps in implementation remain, particularly with scaling solutions. Both SolarWinds and Colonial Pipeline reflect challenges of scaling—a finding that dovetails with the first NYCTF report’s focus on innovations at scale,” it added.
Additionally, some elements of the government have matured their capabilities for collaboration more so than others, and this difference may account for the apparent tension in the findings.
The report detected a nearly universal consensus that trust is not only essential for effective collaboration but is also elusive and easily undermined.
On the federal government’s challenges of effective crisis communication and coordination of messaging to the private sector, the NYCTF report identified that “this challenge is fundamental to the organization of the government itself. First, different agencies have different missions and priorities that are not always in concert. Further, Congress has deliberately made certain agencies independent from the President and the Executive Branch, such as the Federal Communications Commission or the SEC.”
It also recognized the government’s bureaucratic structure is set up for failure when interagency coordination is required. “This structure exists for good reasons, but it creates unintended negative consequences in the realm of cybersecurity collaboration. Executive Branch coordination problems are compounded by congressional independence, which, while essential for democratic government, further hampers the ability of the federal government to speak with a single voice and contributes additional messaging confusion around cybersecurity incidents.”
The NYCTF report detected skepticism about how a growing regulatory footprint will affect operational collaboration. “Frustration with the apparent lack of coordination between different regulatory efforts was clear, despite messaging coming from the government that regulation would be harmonized,” it added.
Another key finding is that those entities with the maturity and resources to operationally collaborate with the federal government already have access to much of the information the government has as well—if not, in some cases, better information. In contrast, those who lack the resources, pre-established interpersonal relationships, organizational maturity, and know-how to engage with the government may be the greatest potential beneficiaries of collaboration, but these benefits have gone unrealized.
The report is organized around four key recommendations focused on improving U.S. government crisis communications and transparency about cyber incidents, creating professional incentives and opportunities for collaboration, establishing a procedure for incorporating state and local stakeholders into operational collaboration and establishing a joint cyber warning center within the intelligence community.
The NYCTF report suggests institutionalizing crisis communications within the federal government. Multiple messages and communication channels from the government during an incident create confusion and undermine credibility, trust, and effectiveness of response, especially when competing priorities are communicated. It also recommended ensuring that there are professional incentives and opportunities for collaboration within government and industry and that the right people are in the room. People, expertise, and interpersonal relationships serve as the foundation for effective collaboration and the linchpin for cultivating trust.
It also called for incorporating state and local stakeholders into operational collaboration. The federal government cannot conduct incident response at scale for all state and local victims, and state and local governments vary significantly in cyber capability. The report also suggests establishing a joint cyber warning center within the intelligence community that includes public and private sector elements. The warning should be clear about what the recipients of such information are expecting or being asked to do as a response.
Related
