Ari Schwartz, who leads the cyber practice at Venable and once served as a National Security Council cybersecurity director, says CISA and NIST continue to lead the way on partnering with industry but that collaboration between business sectors and other federal agencies has fallen off in recent years.
Cybersecurity and Infrastructure Security Agency Director Christopher “Krebs has done a really good job of engaging industry in public-private partnerships, but in the rest of the government – beyond CISA and NIST – the amount of ongoing collaboration has gone down,” Schwartz told Inside Cybersecurity.
“Cybersecurity is not as much a priority for the rest of the administration,” Schwartz said. “There’s so much chaos right now” in the political and policy spaces, he said, that “cybersecurity isn’t rising up like it has in calmer times. Plus, we have a president who doesn’t talk about cybersecurity.”
Ari Schwartz, Managing Director of Cybersecurity Services, Venable
Schwartz served on the Obama NSC and now directs cyber services at Venable and coordinates the Cybersecurity Coalition, a public policy advocacy group of cyber firms.
Among the partnerships that are underway, CISA is leading a major collaboration in the information and communications technology space, for instance, while NIST is working with industry partners on updating its supply-chain risk management guidance 800-161, Schwartz noted.
But other initiatives aimed at critical infrastructure sectors – such as the Energy Department’s bulk power security efforts and the Pentagon’s cyber certification program – “don’t qualify as public-private partnerships,” Schwartz said. “Those are regulatory demands on contractors. And it’s not coordinated either. Sectors are doing what they need to do, but collaboration would be better.”
Likewise, an ICT supply-chain rulemaking at the Commerce Department has stirred deep industry concerns over its “vast scope” and a lack of “transparency” in the development process, but the department now seems unlikely to pull the proposed regulation back for a substantial rewrite.
Further, Schwartz said, global collaboration is lagging because the United States isn’t leading international partners in coordinated approaches.
“Krebs and NIST are doing great jobs, but there’s no over-arching strategy or leadership up top,” Schwartz said. “What is the policy? How do we engage with different sectors and with allies to get beyond company-specific actions?” he asked, pointing to a series of moves to ban Chinese products from the U.S. marketplace.
“On China,” Schwartz said, “we’re doing the same thing to them as they do to us – banning participation in certain segments of the economy because of national security – but it’s not leading to an American version of how it should be done. We’re taking the Chinese view: ‘You can’t be in our critical infrastructure.’”
The U.S. “needs a real vision to out-innovate them,” he said. Instead, “it looks like the strategy is to take Chinese companies out of the U.S. market and then negotiate them back in. But that’s exchanging national security for trade. It would be much better to have a standards policy based on international standards, that would be a vision to aim toward.” – Charlie Mitchell (firstname.lastname@example.org)