For decades, relations between the federal government and the hacker community have ranged between openly hostile in the worst of times to cautiously cordial in the best of times. Through most of that, one common theme has been the government’s desire to find a way to get hackers to share their knowledge, on both the offensive and defensive sides, whether it’s in informal talks or more formal information-sharing partnerships.
This has not always gone well, as one might imagine. The main reason for the breakdown in communication between the two groups is the one-way nature of the relationship, with the government taking but not really giving much back in return. Add in a healthy dose of mistrust, and you get...not much.
In an odd twist, those relations began to thaw after the creation of the Cybersecrutiy and Infrastructure Security Agency (CISA) a few years ago, mainly due to the work done by the agency’s first director, Chris Krebs, and his staff. Krebs worked diligently to improve communications with both the hacker community and private sector defenders and became that rarest of birds: a trusted fed. Jen Easterly, Krebs’s successor, is hoping to build upon the foundation he laid and greatly expand the partnerships between Washington and the hacker and defender communities with a new initiative called the Joint Cyber Defense Collaborative (JCDC) that aims to tackle ransomware, critical infrastructure security, and cloud security as part of the initial work.
Among the private sector companies joining the JCDC are Google, Amazon Web Services, FireEye, Crowdstrike, Microsoft, Palo Alto Networks, AT&T, Verizon, and Lumen. The FBI, NSA, U.S. Cyber Command, Department of Homeland Security, Department of Justice, and the Office of the Director of National Intelligence are involved on the government side.
The JCDC may well be met with initial skepticism in the hacker and defender communities, particularly among folks who have lived through more than a few iterations of public-private partnerships, information sharing, and government outreach. This is certainly not lost on Easterly, a West Point graduate and retired Army officer who was instrumental in the creation of the U.S. Cyber Command who knows well what the government can and can not do.
“We can’t do this alone. It has to be an effort where we collaboratively come together,” she said during a keynote at the Black Hat USA conference Thursday.
“Imagination brings resilience and innovation. It makes us better hackers."
“Collaboration is in CISA’s DNA. I fundamentally believe this approach will make us stronger. We have a very large, unique cache of data that we synthesize to put out actionable products. My goal is to help breathe new life into these arguably hackneyed terms. The information we put out must be able to be used by defenders.”
Despite the historical tensions between the government and hackers, there is a non-trivial number of people who have worked on both sides of the fence in their careers. In the tech industry, Google, MIcrosoft, FireEye, Apple, Cisco, and myriad other companies boast both military veterans and former civilian government employees on their security teams, as do many financial services companies and other private firms. Easterly herself joined CISA from Morgan Stanley after her military service. So the bridges are there, it’s just a matter of opening them up to two-way traffic.
“In order to bolster our nation’s cyber defenses, it's essential that the public and private sectors work together to defend against evolving threats and shore up modern IT capabilities that will protect our federal, state and local governments,” said Phil Venables, Vice President and Chief Information Security Officer at Google Cloud.
Growing up, Easterly was fascinated by puzzles, especially the Rubik’s Cube, which she mastered as a young girl, long before YouTube was awash in videos of kindergartners solving it during snack time. She would routinely walk into toy shops and bet the owners that she could solve it in under two minutes, with a free cube as the stakes. She amassed a pile of those cubes, something she attributes to her imagination and curiosity. Those qualities are held dear in the hacker community, something that Easterly is counting on.
“Imagination brings resilience and innovation. It makes us better hackers,” she said.