The key to combating adversaries in cyberspace and building out more cyber-resilient infrastructures is creating stronger partnerships for those efforts between government and industry, a top Defense Department (DoD) official said on April 24 during the Carahsoft Public Sector Day event at the RSA Conference in San Francisco.
“The power of partnerships, I think, is a critical element of success because [cybersecurity] is an effort where we want to work as a team,” said Gurpreet Bhatia, the Pentagon’s principal director for cybersecurity and deputy chief information security officer.
“We don’t want it as a singular entity, not private industry, not the government,” he said. “So, this is a team effort, and we’re looking for that partnership to be successful in a big way,” Bhatia said in a keynote address.
Taking advantage of that “power of partnerships,” he said, relies on clear and strong communication – an area that he said, “we aren’t necessarily or haven’t been necessarily strong.”
Better communication, he explained, is key to ensuring a strong partnership that can articulate the Federal government’s requirements, needs, and problem statements, and for industry to drive solutions in an integrated, collective, thoughtful, and forward leaning way.
“That is something we want to do more of and make sure that we’re articulating those in a clear and crisp manner,” Bhatia said.
The Pentagon would also welcome “insights from industry on trends” in cases where DoD is not “thinking through the problem effectively or [the] requirements don’t make sense,” he added.
Bhatia explained that in improving communication efforts between government and industry, it’s important to address technical weaknesses that exist in systems to ensure the Federal government has an environment that enables the workforce to better protect the network.
This also applies to policy gaps within the Federal government, that adversaries could exploit, he added.
“They’re trying to determine where we’re not working as a team,” he said of U.S. cyber adversaries.
“They’re looking through our ecosystems and looking through our authorities. And that is an area where we also need to pay special attention. We need to make sure that collectively, we have a big focus … on how we provide a collective unified approach to things,” Bhatia said.
Bhatia said that zero trust security is one of those examples. The Federal government, as a whole, is working to adopt zero trust architectures in a streamlined way, where it can have reciprocity of systems and certifications.
“The biggest undertaking that we are taking at least from a cybersecurity perspective, is there,” he said. “That is something we’re all in on … deploying zero trust.”
“The DoD] has a strategy that’s been published. We have an implementation plan, we have a reference architecture. And we have set a deadline for the entire department to be zero trust enabled by the end of fiscal year 2027,” he said.
“We have been in an insurgency-led fight, and we are going into a hybrid cyber information warfare space right now, and at a speed that we all recognize that we need to take immediate action,” the Pentagon official said. “And that entails the entire department and the private sector working together. And that also includes the larger Federal space.”
Bhatia emphasized that the Federal government – and especially DoD – ultimately has a mission to accomplish that requires a healthy balance of innovation and stability. He recognized that a lot of the ingenuity and innovation in cybersecurity happens in the private sector, and therefore that balance is only possible with strong partnerships between industry and the Federal government.
“We aren’t necessarily the innovators,” Bhatia said. “We want to adopt. We want to stay flexible, we want to be agile, but at the same time, we also have a mission that demands that we be stable. And that poses an interesting balance of how you take your legacy infrastructure and resources and migrate to a modernized effort.”
DIB Cybersecurity Program Pushing for Better Partnerships
DoD is currently looking to industry to increase cybersecurity information-sharing efforts in the voluntary Defense Industrial Base (DIB) Cybersecurity program.
In 2020, the DoD established the DIB Cybersecurity program to enhance and supplement DIB participants’ abilities to safeguard DoD information. Under the program, DoD and DIB participants share cyber threat information to enhance the overall security of unclassified DIB networks, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness.
Current efforts under the program include “sharing information … [and] helping people understand how to implement things and sometimes driving industry to provide the right solutions,” Bhatia said. “We’re looking for industry to partner with us to help us drive those efforts in that space.”
In addition, DoD is looking at how participants within the DIB Cybersecurity program share collective threat information and how that information can be expanded to make sure that everybody has that data.
“Today we focus on the cleared community for the most part, but we’re also looking to expand that to make sure that everybody has that information, but not just have that information as in you get the [bits], but the right context without a revision that comes with it so you understand what the operational impact is and what you can do about it,” Bhatia said.
