Talk of collaboration and ecosystems in cybersecurity is nothing new. However, the events of the past year—supply chain attacks, the rapid shift to cloud, the adoption of remote work and more—have made it clear that while governments is already operating in those ecosystems, their approach to security has yet to catch up.
The move towards participating in cybersecurity ecosystems has been accelerating, driven largely by access to better tools or a greater variety of skills. For example, in 2020, 60% of states outsourced cyberthreat assessments, compared with just 43% two years earlier.1 However, recent events such as the wide-ranging hack of the US government and commercial vendors show the difficulties of living in a networked ecosystem.2 In the connected world, vulnerabilities of one organisation can threaten its partners, clients and even an entire industry. Attacks can scale dramatically, moving quickly between public and private networks. For example, the WannaCry ransomware attack of 2017 compromised more than 300,000 machines across 150 countries, including those of the United Kingdom’s National Health Service.3
So, what can government do to keep all the advantages of participating in ecosystems while mitigating the risks? A shift in government’s role in cybersecurity is the answer. No longer are governments content just to protect their own networks; many are beginning to take larger roles in coordinating security across public-private ecosystems.
The government cannot function in isolation. As such, there is a growing realisation within governments that in order to mount a proper national cyber defence, their role should expand from just securing public networks to helping to secure both public and private networks. Many governments across the world are already moving in this direction. Launched in 2016, the United Kingdom’s National Cyber Security Centre was created to provide a unified national response to cyberthreats and attacks.4 The centre provides cybersecurity support to the public sector, the private sector, including small and medium enterprises and the general public.5 The centre supported 723 incidents in the last year and also launched a suspicious-email reporting service for the general public, which flagged 2.3 million suspicious emails and removed 22,000 malicious websites in just four months.6
The same realisation of shared vulnerabilities in a cyber ecosystem drove the US Department of Defense (DoD) to release the Cybersecurity Maturity Model Certification (CMMC), which acts as a unified standard for implementing cybersecurity across the 300,000 companies of the Defense Industrial Base.7 CMMC is a cyber control and compliance framework that requires third-party analysis of the cyber controls for DoD contractors and subcontractors’.8
But the shifting role of government in cybersecurity is not without friction. To become effective in these new roles, governments must shift how they manage relationships, talent and even internal operations.
Ecosystems are by definition composed of relationships. So, securing an ecosystem requires using those relationships to share information and set norms of behaviour. This can be a significant shift for government agencies used to restricting sensitive data to only those with a “need to know.” But the shift towards greater sharing and collaborative decision-making is underway at every level.
Some ecosystems are formed at the international level, while others are limited to a specific country or a region. One example of international collaboration is CSIRTAmericas, a community of computer security incident response teams in the Americas region. Through sharing information and knowledge, often in real time, this group has put up a united response to emergencies such as the COVID-19 pandemic and the Wannacry ransomware attack. 9
At the national level, organisations in the Netherlands drawn from government, business, the knowledge sector and higher education have come together to form the Hague Security Delta, a cooperative body working for innovation in security. 10 In the United States, the Multi-State Information Sharing and Analysis Centre (MS-ISAC) enrolled its 10,000th government organisation in November 2020, a rise of about 9,000 organisations in the last seven years. MS-ISAC, a network of state, local and territorial governments, is set up to exchange knowledge on the latest cyberthreats, share cyber hygiene practices and get cyber risk assessment. 11
At the local level, partners such as City National Bank, IBM, AT&T, Cedars-Sinai and the City of Santa Monica have formed the Los Angeles Cyber Lab’s Threat Intelligence Sharing Platform, which collects information on cyberthreats from participants. Members can share this data anonymously for analysis and comparison. The lab uses the information to provide threat intelligence and trend analysis to all members, including smaller businesses that lack the capacity to track threats on their own. 12
Greater collaboration in an ecosystem results in more and varied types of systems, data and tools being used within an organisation. That requires technology talent with broader skills than most single organisations can provide. Fortunately, ecosystems can also help governments gain access to the right talent with the right skills. An ecosystem comprising academia and industry can help governments plug their cybersecurity talent gaps by creating a thriving, common cyber talent market rather than looking only for their own needs.
Cybersecurity training initiatives in the United States have focussed on higher education. For example, the National Institute of Standards and Technology awarded a grant to Florida International University, supporting programmes designed to train cybersecurity talent to work in state and local positions, national businesses and the US government. 14 The University of Buffalo received a US$2.39 million grant from the National Science Foundation to train future cybersecurity experts. 15 The US Department of Homeland Security offers grants and partnership opportunities focussed on cybersecurity for both K-12 schools and institutes of higher education, through the agency’s Science and Technology division. 16
US-based Cybersecurity Talent Initiative—a partnership between federal agencies, academia and the private sector—chooses students drawn from relevant fields for two-year placements with federal agencies that have cybersecurity needs. Towards the end of that service, students can apply for full-time jobs with private sector companies that participate in the programme. 17 To partner with the private sector, the United Kingdom has embraced the technology accelerator model, creating the Defense and Security Accelerator to identify and fund cybersecurity innovation both within and outside the government. 18
Governments also use competitions to take advantage of cybersecurity capabilities outside their own workforces. One popular model is the bug bounty programme, in which governments challenge pre-vetted hackers to find vulnerabilities in their networks and reward them for each bug they find. The United States’ first major bug bounty initiative, Hack the Pentagon, drew more than 1,400 competitors. Once the competition started, it took just 13 minutes to identify the first bug. 19
Singapore’s Ministry of Defense ran a bug bounty programme in early 2018 that identified 35 bugs; its top prize to an individual was S$2,000. During a separate competition that the Singapore government ran in December of that year, competitors helped to fix 26 bugs and received a total of just under S$12,000 in awards. 20
As government organisations start working within large ecosystems, they should also shift their operations to keep pace. The sheer number of interconnections in an ecosystem means that old models of security built on keeping threats at bay outside of networks simply do not work. Rather, security is beginning to shift towards models such as zero trust that assume breaches exist and look to verify that activity is authentic.
The impact of COVID-19 and the subsequent rapid shift to remote work accelerated the adoption of zero-trust models. One Deloitte survey of nearly 600 IT professionals found that 37% saw an acceleration in the adoption of zero trust due to COVID-19. 21
And that initial interest is spreading. In the United States, 44 federal agencies have created dedicated teams with line-item funding to either do research in zero-trust or start implementing it. 22 In the United Kingdom, the National Cyber Security Centre has released a beta version of its zero-trust principles on GitHub, 23 which external organisations can use as a guide while developing their own information systems and networks. 24
In this light, the adoption of zero-trust networks is not just another tool in the cybersecurity toolbox; rather, it is an important signal of government adjusting to its new role in cyber ecosystems.
Increase access to cutting-edge tools and technologies. Connecting with a wide array of partners - service providers, government agencies, academia, private industry - can help keep the government at the cutting edge of cyber tools, technologies and best practices.
Scale the sharing of threat information. Coordinating with ecosystems across levels of government and with other countries can ensure government access to the newest threat indicators and that leading practices are in place.
Grow your pool of leading talent. Tapping into a wider cyber talent ecosystem can expand access to the right skills.
Inculcate a zero-trust mindset. Cybersecurity needs a seat at the table, whether that be in executive decisions on new investments or operations in the form of DevSecOps.
Digital transformation, enabling technologies and connected communities are creating a new horizon of opportunities for enhanced government impact and citizen engagement. With these come new business models, expanded data management and access requirements, and technology modifications—all with varying risks. Deloitte collaborates with organisations to provide deeper insight into addressing cyber risks while promoting innovation and programme impact.