Education, collaboration and communication were at the forefront of discussions when government and private sector cybersecurity leaders came together at the 20th annual Cybersecurity Awareness Month kick-off event, sponsored by the National Cybersecurity Alliance (NCA).
“The evolution of technology over the past two decades has also brought new challenges and complexities to the realm of cybersecurity,” Nitin Natarajan, deputy director of the Cybersecurity and Infrastructure Security Agency (CISA), said in opening remarks at the Oct. 4 virtual event. “As a result, Cybersecurity Awareness Month has expanded its focus to encompass emerging trends such as social engineering, phishing vulnerabilities and the risks associated with remote work.”
Cybersecurity stakeholders from CISA, the NCA, the White House, the U.S. Congress and the private sector came together to address an extensive range of issues at the event. Natarajan noted that CISA had recently launched a campaign titled “Secure Our World,” aimed at keeping the cybersecurity conversation going year-round and building safe online practices into everyday lives.
“Secure Our World encourages Americans to develop better continuous cybersecurity habits, with an emphasis on individuals, families and small to medium businesses,” said Natarajan.
Drennan Dudley, assistant national cyber director in the Office of the National Cyber Director at the White House, stressed the importance of government and private sector partnerships to create a more secure and interconnected world. Dudley also highlighted the National Cybersecurity Strategy, published in March 2023, which calls for a vision that is more opportunity oriented and less focused on threats.
“The strategy calls for managing cybersecurity risk by taking it from the entities that can least bear it and placing it on those who are most capable of preventing harm,” she noted.
She touted the White House’s National Cyber Workforce and Education Strategy, published in July, as “another path for an affirmative vision in cyberspace.” The strategy calls for the development of a collaborative ecosystem to meet the cyber workforce demand.
“That means industries sitting at the table with educators to talk about what that demand actually is and how we can meet it,” said Dudley.
On the congressional front, Sen. Gary Peters (D-MI), Rep. Andrew Garbarino (R-NY) and Rep. Eric Swalwell (D-CA), all spearheading cybersecurity legislation, provided the kick-off event with pre-recorded remarks and updates.
Peters, chair of the Homeland Security and Governmental Affairs Committee, discussed recent bipartisan legislation to protect critical infrastructure from disruptive cyberattacks, modernize the federal government's approach to cyber security and help K-12 schools protect their networks.
“Education is key when it comes to mitigating cyber risks,” said Garbarino, who leads the House Cybersecurity Infrastructure Protection Subcommittee. “We must work to advance American cyber literacy and bolster our nation's critical infrastructure, security and resilience.”
Garbarino also discussed his committee’s work with CISA to strengthen the United States’ national cyber posture.
Swalwell, meanwhile, reflected on how far the federal government has advanced cybersecurity. From the establishment of CISA to the mandatory cyber incident reporting law to work on voting networks, cybersecurity has emerged as a top priority at the White House.
“The federal government has improved how it partners with the private sector through entities such as the Joint Cyber Defense Collaborative, which unifies cyber defenders from organizations worldwide,” said Swalwell, the ranking member of the Subcommittee on Cybersecurity and Infrastructure Protection.
An expert panel moderated by Lisa Plaggemier, executive director of the NCA, featured Megha Malhotra, senior technical program manager at Amazon; KnowBe4 Senior Vice President Joanna Huisman; Bobbie Stempfley, vice president of Products Groups and business unit security officer at Dell Technologies; Rusty Waldron, vice president and chief business security officer at ADP; and Google Security Policy Manager Tatyana Bolton. The panel looked at the basics of cybersecurity education with an eye to the future.
“In the face of emerging cybersecurity challenges such as the widespread use of AI and deep fakes, people still have anxiety,” said Plaggemier. She asked the panel: “How can we help people feel empowered when it comes to keeping themselves safe online?”
Huisman advocated getting back to the basics. “Any football coach will tell you it’s all about blocking and tackling,” she said. “Keep your privacy settings on, change your passwords, make sure your internet connections are secure, use multi factor authentication.”
The evolution of how people protect themselves online has moved from basic passwords to two-factor authentication and password managers. The message from the panel was that cybersecurity is not event based, it is ongoing.
"Eventually, we will move to a password-less future," said Google's Bolton. "I think there's been a significant shift and I'm happy to see it. I've seen improvements in K-12 and higher education, but I think there needs to be more rigor.”
Panel members agreed that cybersecurity is becoming part of our culture and habits. They also said communication is essential if cybersecurity best practices are to be infused into the general population in ways that appeal to all age groups.
“I get phone calls from friends and family asking if something is a phishing attack,” said Waldron. “It’s becoming something personal that people can recognize.”
Malhotra said cybersecurity is like a team sport that requires communication awareness and reasonable transparency so people can learn from each other. She offered examples of how good collaboration between the public and private sectors can help enhance cybersecurity.
“First, share threat intelligence at different levels,” she said. Second, leverage each other's expertise. “Private sector companies often possess very deep technical expertise in areas of cyber security, and the public sector can provide legal regulatory frameworks,” she said. “Their combined strengths can be used to develop comprehensive and very effective big picture strategies.”
Finally, she advised organizations to spend time on research and innovation.
“Develop cutting edge technologies and offer and build solutions to counter cyberattacks and cyber threat,” she said. “By combining our strengths with each other, by combining our resources with each other, we can create a more resilient and secure digital ecosystem.”