CISA’s relationship with industry needs work to reestablish trust, experts say

LAS VEGAS — Collaboration between agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and private industry remains essential to build resilience and combat sophisticated cyber adversaries, a panel of government and private-sector experts said on Tuesday.

U.S. authorities have a lot of work to do to restore trust with their industry partners following months of upheaval under President Donald Trump that occurred as the U.S. remains under heightened cyber threat, the experts said during a conversation at the Black Hat cybersecurity conference in Las Vegas.

The panelists largely agreed that the federal government should continue to lean on private industry to share critical threat information, even as critics warn that Trump’s massive job cuts will significantly impede the government’s ability to respond to threats identified through that sharing. 

“I really think we backslid,” Rob Joyce, a venture partner at DataTribe and former director of cybersecurity at the National Security Agency (NSA), said during the panel discussion at the Mandalay Bay Resort and Casino. Joyce noted that in a normal government transition, you lose a lot of leadership.

“This year, [we] didn’t just lose the top leaders of government; we lost operational capability at any number of departments and agencies.”

The Trump administration launched a massive effort to slash jobs at key federal agencies, including CISA, which helps protect critical infrastructure providers and federal civilian agencies from cyber threats. 

Senior officials at CISA, the NSA and other agencies either resigned, took buyout offers or were fired as part of a downsizing program intended to slash federal spending and, in some cases, install officials more closely aligned with the new administration’s policy priorities. 

Joyce noted that the vast majority of critical infrastructure in the U.S. is owned by the private sector, which means the federal government is dependent on industry to share insights about their security concerns as well as inform authorities of immediate threats. 

The U.S. intelligence community has played an increasing role in sharing vital threat data as the NSA and other agencies increasingly work with private organizations. But Joyce said that intelligence is of little value if defenders can’t operationalize it in a non-classified setting so that a broad swath of organizations can defend themselves accordingly. 

JPMorgan Chase chief information security officer Pat Opet said there was a need to establish strong relationships when administrations changed hands or when companies found themselves working with a new set of government leaders. 

“In terms of how we scale, the effort today is still very much based on trust,” Opet said. 

The financial industry is subject to much stricter cyber regulations than other sectors, but it also receives significant value from specialized threat intelligence, Opet said. The Treasury Department has a program called T-Suite, which involves sharing critical information through its Office of Intelligence and Analysis. 

Marci McCarthy, the recently appointed director of public affairs at CISA, defended the administration’s efforts to work with the private sector. McCarthy said the agency under Trump was refocusing on its core mission. 

McCarthy pointed to $100 million in grant funding that CISA and the Federal Emergency Management Agency (FEMA) are offering to help support state, local and tribal communities. (That money, however, cannot be spent on a key source of cybersecurity support for local governments.)

CISA has worked closely with a number of industry partners on sharing threat information and providing guidance to security teams, according to McCarthy.

Among some of the more recent efforts, CISA collaborated with industry partners and other agencies during the Microsoft SharePoint exploitation campaign in July, McCarthy said. 

“Immediately, because of that public-private collaboration and trust, we went to Microsoft [and] made them aware of the situation,” she said.