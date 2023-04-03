CISA Director Jen Easterly and Executive Assistant Director for Cybersecurity Eric Goldstein wrote, “A cyber threat to one organization is a threat to all organizations,” in an essay for Foreign Affairs.

As a cybersecurity community, we must start seeing cyber threats as a societal problem rather than a barrier to revenue generation if we are to stop victim blaming, breach concealing, and vulnerability ignoring. Instead, we should encourage collective responsibility and inter-organizational collaboration among those charged with protecting the global economy from cyber criminals.

During the recent Global CISO Exchange, top infosec practitioners took part in a two-day conference to discuss the two key issues CISA’s Easterly and Goldstein believe are to blame for the current state of cyber affairs.

First, too many technology manufacturers prioritize sales over security, passing the massive responsibility of cybersecurity onto consumers and business users. We can see the effects of these deficiencies in how the software supply chain has been weaponized, with small and medium-sized businesses often bearing the brunt of the damage.

Second, cybersecurity is still too often siloed within IT departments or considered the sole responsibility of a chief information security officer. Failure to see cybersecurity as an existential business issue discourages disclosure and cooperation among professional peers. Today’s private sector businesses are forced to contend with state-backed threat actors whose budgets surpass all but a handful of companies. Yet, too many organizations still see cybersecurity as a fringe issue.

"Americans need a new model," they write, "one they can trust to ensure the safety and integrity of the technology that they use every hour of every day.” Easterly and Goldstein discuss the need for technology that is “secure by design,” which they describe as technology “purposely designed, built, tested, and maintained to significantly reduce the number of exploitable flaws."

This definition fits a zero trust architecture (ZTA) to a T. ZTA inherently hides applications so they can't be probed for vulnerabilities by any internet passerby, prevents lateral movement by connecting users to applications rather than networks, and inspects both inbound and outbound encrypted traffic to guard against malware and data exfiltration.

While we’re stressing the need to make technology products more secure, why not take it a step further and focus on making the underlying architecture that enables their use more secure, too? Thankfully, the U.S. Federal Government has made steps in that direction with its 2021 executive order calling for implementing zero trust architecture among its agencies.

A global ‘cyber-civil defense’ coalition

Drawing on the work of philanthropist and Craigslist founder Craig Newmark, Easterly and Goldstein call for a pervasive awareness-raising campaign infused into consumer reports, curricula, and “target rich, cyber poor” organizations like school districts, healthcare facilities, and local election offices.

"If the government and the private sector can build trust and work together,” they write, “cyberspace can become safer for everyone." Say it again for the people in the back.

We are headed in the right direction with smart initiatives like the Joint Cyber Defense Collaborative (JCDC), of which I am proud to say Zscaler is a part. But I would expand this notion of cyber-civil defense to include cooperation between security executives at leading private sector organizations around the globe.

Regardless of which country hosts their HQ, these organizations tend to be well-resourced, well-intentioned, and international. A global network of cooperative CXOs, determined to prevent economic and societal damage from cybercrime, would be a powerful ally in this fight.

State-backed threat actors are sheltered and backed by geopolitical pariah states, including Russia, North Korea, and Iran. They continue to launch opportunistic attacks against our businesses, schools, hospitals, and governments from beyond the reach of international law enforcement coalitions.

Threat actors also realize that, at least in the United States, much critical infrastructure is privately funded and poorly protected. CISA is mandated to address this issue of national security, a task that could be eased with cooperation and intelligence-sharing from the private sector.

Our mission is to collaborate both within the private sector and with our public sector counterparts to advance the goal of creating a safer cyberspace for everyone.

