business risk

Business Risk: Focus on Private-Private Partnerships

Ever since the Marsh Commission called for a “Public-Private Partnership” in its 1997 report on critical infrastructure protection, the idea that government and the private sector must work together to protect our nation in cyberspace has been firmly ingrained in U.S. policy.

In Presidential Decision Directive 63, President Clinton established many of the public-private mechanisms that still exist today, such as Information Sharing Analysis Centers (ISAC) and sector coordination bodies. President George W. Bush doubled down on this approach in HSPD-7, and President Obama let his policy ride on the idea in PPD-21. The only 2016 presidential candidate to put out a cybersecurity policy as of this writing, Jeb Bush, would also stay at the partnership table, declaring a need to “Create Public-Private Partnerships to Improve Cybersecurity in the Public and Private Sectors.”

The approach has stayed remarkably consistent across Democratic and Republican Administrations and as technology and threats have evolved. The consistency is all the more remarkable given the widely held view in the cybersecurity community that it has not worked.

The partnership model is often viewed as an alternative to a regulatory model – an approach that emphasizes “working together” vs. the kind of adversarial relationship between government and the private sector that can be the product of regulation. Yet many companies believe that voluntary engagement under a partnership model may lead to mandatory requirements.

This fear has led to the current state of the public-private partnership. Lots of meetings. Lots of talk. Lots of rhetorical support but very little action. There may be a better approach.

Companies that have a legitimate interest in improving cybersecurity should look to partner with other companies to solve cybersecurity problems without the government’s help.

In a domain in which almost everything that needs to be protected is not in a commons (like air, space, or water) but is owned by private companies, there is only a limited number of things that private companies should look to government to do.

Law enforcement agencies have a monopoly on investigating crime, making arrests, and prosecuting. Only the U.S. Department of Defense can go on the offensive in cyberspace. Only the U.S. Treasury can level sanctions.

In some areas, like diplomacy, government and the private sector must work together. The joint application of pressure by the U.S. government and private companies in Seattle and Silicon Valley was what got China to the negotiating table on intellectual property theft.

For other areas, where the private companies can come together without government involvement or support, coalitions of the willing have proved remarkably successful, particularly on information sharing. The Cyber Threat Alliance, for example, shares thousands of malware samples and other indicators of cyber threats between its members each day without any help from the government.

Taking the model beyond information sharing to improve problems in the cyber ecosystem that affect many companies should be the focus of a new round of private-private initiatives. Here are a few ideas:

Use private acquisition pressure on secure protocol adoption: Whatever the policy problem, someone will propose that the Federal government use the money it spends to buy goods and services to pressure change within the market. The only problem is that for information technology, the government market is not big enough to have a widespread impact. The government is responsible for 1 in every 10 dollars spent on IT. The companies that account for the other 9 in every 10 dollars can have a much greater impact. There is a long litany of more secure protocols where widespread adoption has not taken off (see DNSSec, BGPsec, IPsec, BCP 38, STARTTLS, SPF, DKIM). Large companies that collectively required the use of these protocols by their suppliers and partners should be able to move the needle on adoption rates further and faster than government.

Train the Next Generation of Cybersecurity Workers: For nuclear power and aviation, the U.S. military has trained generations of practitioners, who, when they complete their service commitments, take on similar roles in the private sector. In cybersecurity, the 6,000 personnel Cyber Command is attempting to recruit and train are barely a drop in the bucket when, by some estimates, there are 200,000 job openings in cybersecurity in the United States. For its part, academia is little help. Interest in computer science overall has been dropping for a decade. Private companies should work together to develop the workforce they need through a combination of post-collegiate (or no-collegiate) training and hands-on apprenticeship.

Vulnerability Reduction: Insecure and unpatched systems don’t just make the owners or operators of those systems insecure, they make us all insecure. Vulnerabilities in consumer devices can be exploited by criminal groups to build botnets used in denial of service attacks, to send SPAM, and to break passwords. Vulnerabilities in critical infrastructure in one sector can lead to impacts that cascade across other sectors. Private companies should work together to identify and remediate vulnerabilities in the cyber ecosystem, encourage the development of more secure systems, and evaluate the security of new technologies as they emerge.

Each of these initiatives could be taken on by existing organizations like the Cyber Threat Alliance, industry groups, or by new non-profit organizations. Doubtless, there are many worthwhile similar initiatives I haven’t listed here. All would meaningfully impact the cybersecurity of the nation and create a safer cyberspace in which business can thrive. And none requires partnering with the government.