On Wednesday at Davos, the World Economic Forum officially announced the Global Centre for Cybersecurity. The new hub, based in Geneva, will become operational in March with a mandate to encourage public-private cyber collaboration.
Philip Quade, Chief Information Security Officer at Fortinet, argues that business and government leaders should together focus on critical infrastructure security while also cultivating a new kind of workforce.
“Acknowledge that neither the Government nor the Private Sector, alone, can address the problem,” Quade, who previously served as the NSA Director’s Special Assistant for Cyber and Chief of the NSA Cyber Task Force, said in an email. “Perform joint projects to solve pressing problems, which has the simultaneous benefit of creating ‘muscle memory’ between the public & private sector, which will serve nations well if/when those two sectors have to work closer together in a crisis situation.”
The new kind of workforce should include “Apprentices, Journeymen, and Masters … in the combined fields of cybersecurity and physical security, since, increasingly, cyber and physical processes are converging,” Quade said. “We need to create a workforce, with multiple skill levels, to take on those converging security challenges, to protect our critical infrastructures, industrial automation, autonomous transportation systems, and future healthcare solutions.”
A public-private cyber coalition
To do accomplish these two tasks, according to Quade, stakeholders from the following groups of people should first agree to work together:
“People in positions of authority: These can be owners of critical infrastructures or even government leaders who have a role in critical infrastructure. They need to be individuals with the authority to authorize the implementation of solutions and to clear any barriers to make that happen. They will help create and nurture both leap-ahead progress and steady, incremental progress over time.
People with know-how: This can include anything from operational expertise, deep technical knowledge, or access to sophisticated equipment and techniques to validate any proposed solutions.
People with financial resources: This can include individuals, companies, government agencies, or consortia that have the money necessary to support things like meeting and planning logistics, the funding of trial programs, or to create enduring connections between parties where individual budgets may not reach.
Thought leaders: A group of leaders, at both the regional and national level, who understand the scope and scale of the issues at hand (e.g., threats, complexities), as well as the strategic approaches that will be most effective at addressing them. This will need to be an action-oriented network of like-minded thought leaders and stakeholders who share a common vision of a more secure and resilient U.S. posture. They would need to agree to work together toward big goals over a 7- to 10-year horizon, to scope out the challenges, identify a strategy and nurture the initial implementation of the solution.”
Quade added that symbolic organizations — including national labs, university-affiliated institutions, and other public and private organizations like the new Global Centre of Cyber Security — “are often looked to for taking the lead and are closely watched by others who tend to follow that lead.”
Institutional muscle memory
“Once this coalition is formed, the next step is to create a light-touch orchestration board to establish some enduring procedures in cases where such things are helpful,” Quade said. “This board will need to take on the issue of automated information sharing within and among critical infrastructures. The goal is to enable the sharing of threat intelligence and best practices, and otherwise get people to start working together to create relationships.
“At the same time, the coalition needs to begin to pilot the most promising strategies and capabilities, such as consequence-based engineering, or ‘protection by design,’ and then ‘test’ those capabilities to create the most meaningful increases in security and to enrich partnerships. It also need to promote research and innovation on the right challenges, experiment and push the envelope, and fail fast, but on the most important priorities. This approach helps build institutional muscle memory so that responses to actual attacks are quick and effective.”
Once the coalition is operational, Quade concluded, a new kind of workforce should take on the multifaceted challenge of security in the cyber realm.
“The cybersecurity industry must reconsider its job roles and structures,” Quade said. “This will involve creating an environment in which professionals in IT, OT, and physical security regularly collaborate and rotate job assignments in recognition that the design of critical infrastructure solutions cannot separate these professions.”
Follow Michael B. Kelley on Twitter @MichaelBKelley