The Need for a Joint Effort Between Government and the Private Sector
In recent years, an increasing number of sophisticated cyberattacks—including ransomware and nation-state attacks—have targeted businesses, government agencies, schools, hospitals, non-profits, and others.
The complex challenge of strengthening cybersecurity and deterring attacks requires a coordinated, multi-pronged response from governments and the private sector. No single company or government can stop attacks, but a coordinated effort, including implementing and aligning best practices, policies, and regulations globally and within our borders, can help stem the tide.
The Role of the Federal Government
Every federal agency has a role to play in securing our cyber ecosystem, whether through improving its own cybersecurity, driving increased cyber hygiene practices across organizations, or identifying and neutralizing cyber attackers. The Office of the National Cyber Director (ONCD) leads the country’s strategic efforts to align and strengthen cybersecurity roles and responsibilities throughout the federal government.
In March 2023, the White House released its National Cybersecurity Strategy, which underscores that “robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace.” ONCD is coordinating the various lines of effort related to the strategy and is expected to issue an Implementation Plan this summer that will provide more details on how the Administration plans to action its strategic objectives.
ONCD works closely with the Cybersecurity and Infrastructure Security Agency (CISA), other federal agencies, and the private sector to improve coordinated cybersecurity efforts. CISA serves as the lead agency for protecting and defending federal civilian networks and performs an ever increasingly important coordinating function between public and private sectors to identify and disseminate actionable threat information to enhance the nation’s cybersecurity.
Congress has a critical role to play as well—both in creating policies and investing in cybersecurity programs. The Infrastructure Investment and Jobs Act (IIJA, also known as the infrastructure bill), signed into law on November 15, 2021, provides substantial cybersecurity investments, including funding to help strengthen the cybersecurity of utilities and state and local governments.
In March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law. Under CIRCIA, CISA is developing cyber incident and ransomware payment reporting requirements for “covered entities,” which include a wide range of sectors including energy, finance, telecommunications, IT, agriculture, defense, healthcare, and others.
Many of the details of CIRCIA, including scoping reportable entities and incidents as well as what information must be reported, will be developed during the rule-making process which must be concluded by September 2025. Microsoft responded to CISA’s Request for Information on CIRCIA in November 2022 and will remain engaged as the rule-making process proceeds.
Congress has considered adopting policies to identify, designate, and secure Systemically Important Critical Infrastructure (SICI). The goal of this legislation would be to improve cybersecurity for critically important—and often vulnerable—national assets, such as energy infrastructure and key software. This proposal, however, failed to be enacted in 2022 and is unlikely to garner more support this Congress. Congress is considering ways to improve and codify CISA’s Joint Cyber Defense Collaborative (JCDC) public-private information sharing forum.
In December 2022, Congress passed the National Defense Authorization Act for Fiscal Year 2023, which included several cybersecurity provisions, primarily focused on defense and homeland security.
Voices for Innovation will continue to monitor debates about cybersecurity legislation and highlight the best opportunities for our members to engage on this issue.
Cybercrime knows no borders. The most severe attacks on U.S. businesses, institutions, and government have come from nation-state actors and hacking groups located outside our borders. Our government as well as the tech sector must also engage at the global level to strengthen cybersecurity.
As of November 2021, the U.S. government, as well as the European Union, joined the Paris Call for Trust and Security in Cyberspace, a global cybersecurity initiative. More than 1,200 private sector entities, international organizations, and governments have signed on to the Paris Call. The United Nations is also engaged on this issue, and many technology companies, including VFI partners have signed on to the global Cybersecurity Tech Accord, which just celebrated its five-year anniversary and issued a report on the state of cybersecurity.
The Role of Tech and Microsoft Partners
The tech sector supports cybersecurity on several fronts, including by developing secure software and systems; monitoring and securely managing systems; and supporting the cybersecurity of customers. Cloud, enterprise, and platform technology companies, including Microsoft, have special responsibilities and capabilities, such as notifying customers of attacks, disrupting attacks and hostile infrastructure, and collaborating with government agencies.
Microsoft partners can support strengthened cybersecurity in several ways as well. In addition to following cybersecurity best practices, partners can advise their customers about the importance of maintaining cyber hygiene—and point them toward resources such as the “Actionable Insights” of Microsoft’s annual Digital Defense Report and Microsoft’s Digital Threat Analysis Center (DTAC) reports on nation-state cyber operations. Microsoft partners can also help mitigate the impact of attacks and help customers restore systems.
At appropriate moments during policy discussions, Voices for Innovation may also encourage partners to share their expertise and experience with policymakers. Partners have a unique perspective that can help policymakers better understand the threat landscape and impacts on small businesses.
March 2023 — The White House
The White House
Tom Burt, Microsoft on the Issues
Brad Smith, Official Microsoft Blog