US cyber chiefs: Moving to Shields Down isn't gonna happen
Promises new alert notices but warn 'we can sometimes predict thunderstorms but not lightning strikes'
RSA Conference A heightened state of defensive cyber security posture is the new normal, according to federal cyber security chiefs speaking at the RSA Conference on Tuesday. This requires greater transparency and threat intel sharing between the government and private sector, they added.
"There'll never be a time when we don't defend ourselves –— especially in cyberspace," National Cyber Director Chris Inglis said, referencing an opinion piece that he and CISA director Jen Easterly published earlier this week that described CISA's Shields Up initiative as the new normal.
"Now, we all know that we can't sustain the highest level of alert for an extensive period of time, which is why we're thinking about, number one, what's that relationship that government needs to have with the private sector," Easterly said on the RSA Conference panel with Inglis and National Security Agency (NSA) cybersecurity director Rob Joyce.
We can sometimes predict thunderstorms but not lightning strikes.
The government officials pointed to CISA's Joint Cyber Defense Collaborative (JCDC) public-private group for sharing threat data and security skills and NSA's Cybersecurity Collaboration Center that works with the defense industry as examples of what successful cyber collaborations look like.
In addition to rethinking the relationship between the private and public sectors, CISA is also mulling an advisory framework that describes the cyber threat level, Easterly said.
"An advisory framework that can say, either nationally or in a localized way, what the threat is based on what we know from intelligence information, what we're getting from our partners, and make sure that that is calibrated, make sure that that is time bounded."
This will require "a more thoughtful way" of thinking about threats, and then communicating that to the public, she added.
"The goal is not prevention – we're not going to prevent bad things from happening," Easterly said. "We need to ensure that we are building systems, and architecting infrastructure, and frankly, developing people to be resilient, to make sure that we can detect things early, that we can respond, that we can recover, to be able to drive down risk."
And it's a team sport, Inglis added.
- Five Eyes turn spotlight on MSPs: Potential weak links in IT supply-chain security
- US Cyber Command shored up nine nations' defenses last year
- Expect 'long tail of cyber retaliation' from Russia for sanctions, says ExtraHop CEO
- Cisco EVP: We need to lift everyone above the cybersecurity poverty line
"We all must participate in our own defense in cyberspace," Inglis said. "There's a very proactive element – we've got to be as specific as possible, as timely as possible, as granular as possible and sharing information that is necessary to effect that defense."
To this end, the federal government will provide "very specific" threat information when it's available, he noted. "When we simply have a general warning, that's what you'll get. It's not because we won't tell you the rest of it, it's because we don't know."
"We can sometimes predict thunderstorms but not lightning strikes," Inglis continued. "So you just have to work with us to figure out how do we get this done in a collaboration."
CISA issued the Shields Up warning about the Russian invasion of Ukraine potentially spilling over into cyber offensives against the US earlier this year. Since then, the federal agencies have issued subsequent warnings about potential attacks against US critical infrastructure and networks.
But, to date, we haven't seen any major incidents against US targets – at least none that we know of. And because the government didn't provide specifics, some rumblings surfaced about the Feds withholding Russian threat intel.
This was not the case, Joyce said.
"We knew about real intentions," he said. "And that was the level of intel granularity. So it is hard to strike that balance: we really do know that there is bad intent out there, but we may not know the specifics of where it's going to strike." ®