SIFMA president and CEO Kenneth E. Bentsen, Jr., recently sat down with Matt Gorham, Senior Fellow, Cyber & Privacy Innovation Institute, PwC, for a one-on-one conversation on how to build an effective cyber defense through public and private sector collaboration. This is an excerpt from their conversation, one in a series of Executive Viewpoints at SIFMA’s 2021 Annual Meeting. 

About Executive Viewpoints

Filmed for SIFMA’s 2021 Annual Meeting, Executive Viewpoints is a series of insightful conversations about trends and innovations shaping the future of our capital markets. The capital markets are in the midst of major transformation, arguably one of their most fundamental shifts yet. In this special series, SIFMA president and CEO Kenneth E. Bentsen, Jr. and chief operating officer Joseph Seidel interview a cross-section of experts to understand just some of the dynamics at play in the market’s next evolution.

To view more from the 2021 SIFMA Annual Meeting, please visit www.sifma.org/annual.

A Conversation with Matt Gorham

Ken Bentsen: Why is it important more now than ever for the public and private sectors to work together in preventing cyberattacks and maintaining cyber resiliency?

Matt Gorham: First and foremost, it’s because the threat’s rising. We see we’re going back and a geopolitical paradigm of great power competition. And we’re doing that at a time when there are really no consensus norms and redlines that are out there. So nation-states have both the tools to conduct that competition virtually as well as the attack surface to conduct it.

You also see with criminals the Russian-speaking, Eastern European cyber crimes and service ecosystem is growing. Most recently, we’ve seen that kind of play out with respect to Ransomware. Both the national security and the criminal threat are increasing. The [pandemic] drove some changes and accelerated changes in the attack surface that have really increased where both those criminals and those nation-state actors will be.

Ken Bentsen: It’s been said that cyber security is a top priority of the Biden administration. There have been announcements just in the last day that the State Department is setting up a cyber bureau treasury obviously for many administrations has been actively involved because it relates to the Financial Services Sector on Cyber Department of Homeland Security. What can we expect from the government over the next 12 to 18 months?

Matt Gorham: I think we should expect that the government is going to move toward a threat, and we saw that even going back more than a year. You saw the National Security Agency set up the Cyber Security Directorate, a reorganization geared to address that threat. You saw the FBI roll out a new strategy to impose risk and consequence on cyber adversaries. The Cyber Solarium Commission, a number of things came out of that that is playing out during this administration, for example, the new Office of the National Cyber Director, who has recently been filled by Chris Inglis, former Deputy at the National Security Agency.

I would expect that the National Cyber Director will provide some federal coherence. If you think about the various CIOs that are out there in the federal government and are bringing them together in a coherent way, I think you’ll see that position really make sure that we had coherence between CISA as well as the sector-specific agencies. He’ll probably spend a good amount of time on the public and private partnerships.

I’m fond of Chris saying, “You shouldn’t need a Ph.D. in government to know how to coordinate with the government.” We’ll see some activity in that space and certainly with respect to performance. That position doesn’t have the ability to control the budget, but it certainly has the ability to highlight and make transparent the performance of the government as it relates to the money that was received.

We’ll also see a lot of innovation at CISA. Jen Easterly recently was confirmed in that position and has set up the Joint Cyber Defense Collaborative, which is really the state-of-the-art lead for the development of the nation’s cyber defense. It’s really focused on the prevention and reduction of the impact of intrusions, and it’s a joint private and public partnership that will allow us to be a more secure society.

I also think we’ll see a response from the government to any incident that occurs. We certainly saw actions with respect to the nation-state supply chain attacks of last year with the executive order. We’ve seen a lot of governmental action as a result of some of the more high-profile Ransomware attacks we’ve seen over the last year. The government will be responding to those incidents should they occur. It’s about how does government work together collectively with the private sector to achieve the maximum amount of deterrent effect that they can?

Ken Bentsen: I think that’s really important. I know we at SIFMA with our members engage quite a bit with our partners, particularly the Department of Treasury, Department of Homeland Security, but also at the regulatory agencies on cyber resiliency and in a lot of our testing, whether it’s tabletops or industry-wide testing. A lot of issues come down to some basics of when something happens, who do you call, where do you turn?

Maybe from your perspective and sort of drilling down on what you were just talking about, from a private-sector perspective, how can the government support and enable the private sector?

Matt Gorham: Fundamentally it comes down to forming those relationships early on. I will in fairness say that I do have a bias having been in government for 25 years with the FBI retiring recently. Those relationships are important. If you think about the private sector public relationship, do you have the relationships in place? Do you have a relationship with your local FBI office, Secret Service office? Do you have a relationship with your local CISA official? Have you used those relationships, for example, in your tabletop exercises when you’re planning and have those people at the table so you can speed the decision cycle when an actual incident occurs?

One of the things that the private sector really brings to the table that enables government is they have all the pieces of the puzzle. What I mean by that is government has some view into what the threat actors are doing. The private sector by virtue of the attack surface collectively has all of the views of what the threat actors are doing. If the private sector can give government a better view of the threat picture, then government can pick those nodes that can have the most significant impact if they were to try to conduct some type of effect on those. It’s really about giving a fulsome threat picture that allows government to then take governmental action to impose some type of risk or consequence on these adversaries so that you can have that deterrent or dissuading impact that you really want to achieve.

It’s often said that cyber really is the ultimate team sport, and I think that’s true. When government and the private sector come together, you can have a much more substantial impact on these adversaries.

Ken Bentsen: I think that’s so important when you talk about building those relationships. Do you find sometimes there’s a reluctance on folks in the private sector reaching out, and why is that so?

Matt Gorham: Yes. I think there are probably two reasons. There are still some concerns regarding liability and can I actually share the information I have? Chris Inglis in that new role will certainly be looking at that. There are options to do that. Fundamentally, the issue is oftentimes a real misunderstanding of government actions, roles, equities.

There’s a feeling, “Well, if I call the FBI, do I somehow in the case of a Ransomware attack, for example, prevent me from paying a ransom should I find it in my interest a business decision to do so?” “Are 20 people going to show up in raid jackets at my place of business? Those things aren’t true. You can certainly continue to reserve your option to pay a ransom. The FBI or Secret Service isn’t going to show up in raid jackets and cause a public event. These are things that when you form those relationships and you get to understand the cultural inequities of each other, then you feel much more comfortable making those phone calls.

I often saw when I was in government that there was reluctance to make the first call, but there was rarely reluctance to make a second call based on the experience of the first time.

Ken Bentsen: For the private sector to be an effective team player, what steps do you think should be taken to foster that collaboration with federal agencies? You talk about getting to know your local FBI office and the like. Holistically, how would you approach it?

Matt Gorham: First and foremost, I’d ask myself that question. Do you have robust and enduring relationships with the FBI, with CISA, with the Secret Service? If not, why not? I would seek first and foremost to form those relationships.

More broadly, I would look at other opportunities to work with government—the Joint Cyber Defensive Collaborative at CISA is a great opportunity for deliberate planning on how to better defend the nation. There are other examples out there of private/public partnerships, for example, the National Defense Cyber Alliance in Huntsville, Alabama, or the National Cyber-Forensics Training Alliance, both in Pittsburgh, Los Angeles, and New York. They’re great examples of law enforcement coming together with the private sector to really share information, plan, and have an impact on these adversaries.

We’re all in this together. It certainly is something we can do together. There have been some recent public service announcements that have come out that have been both with the FBI as well as private sector partners. The line is that cyber risk is business risk, and cyber security is national security. It’s showing the point of those public service announcements is to say they form these relationships when there’s an incident. We’re all in this together. We can collectively have the best impact if we work together. Please call government either before, during, or after an incident.

Ken Bentsen: Matt, that’s great advice. Thank you for joining us.

Watch the Full Conversation

–

Matt Gorham is Senior Fellow, Cyber & Privacy Innovation Institute, PwC US. 

 

 

Kenneth E. Bentsen, Jr. is President and CEO of SIFMA. Mr. Bentsen is also the CEO of the Global Financial Markets Association (GFMA), SIFMA’s global affiliate.