Protecting the digital infrastructure is a shared responsibility of governments and private sector participants. Although some may argue that government must take charge, achieving success here will require action from all, including partnerships between governments, within the private sector, and between government and the private sector. While some refer to private-public partnerships, in fact what is needed are public-public partnerships, private-private partnerships and private-public partnerships. By building trusted relationships in all three categories, we can improve cybersecurity. Yet while many efforts to create such partnerships have been undertaken in recent years, they do not appear to be succeeding. But with appropriate leadership from government and active private sector participation, swift improvements are within reach. Following are some observations on what might help move us in the right direction.
First, there is no shortage of government initiated partnerships in the cybersecurity arena. To the contrary, a recent cursory review identified more than 55 government initiated private-public partnerships in the area of cybersecurity. Over 30 of these emerged out of the Department of Homeland Security alone. This does not include the fusion centers, the information sharing pilot-projects, the bi-lateral relationships, or informal contacts that also demand industry participation. This astonishing number of activities reaches across the executive branch and demands time from key government and private sector participants across the critical infrastructures. Does this beg the question, do we have too many?
With so many competing partnerships and other projects, it is no wonder that progress has been hard to find. One of the natural consequences of this plethora of partnerships is a competition for resources. From the government's perspective, there is only so much time that key cybersecurity officials can devote to these partnerships. That often can result in situations where senior government officials cannot participate, and are replaced by lower level executives who either do not have the background or the authority to drive change. For example, if the White House Cybersecurity Coordinator spends just one hour per month on each of the more than 55 ongoing private-public partnerships, that leaves just three weeks a month to work on coordinating the Administration's cybersecurity policies in both the federal government and with state and local officials, attending to the constant flow of threats and necessary responses, and working with our allies around the globe.
From the private sector perspective, participation in these efforts involves real costs, ranging from time committed to opportunity lost due to participation. For example, the government expects industry participation (time) to be donated with minimal parameters (hours, days, weeks). This overhead cost to industry does add up, especially if the company must participate in several of the partnerships. In fact some industry partners dedicate full time personnel just to participate in these venues. While industry is participating in the group, they are foregoing other opportunities where their personnel could be seeking or serving other clients. When industry participates in these partnerships, as some of our telecommunications companies did in support of the Foreign Intelligence Surveillance Program, it may lead to reputational or brand risk, it may require expenditure of unforeseen legal fees, and could cost political capital as they may be seen as partisan as a result of participation in the activity.
Notwithstanding these real costs, when the government initiates a new private-public partnership or requests a company to participate in more than one, industry may find it difficult to justify participation and articulate the value proposition or return on investment for playing. Often times, the argument industry makes to their leadership is from a position of fear of not participating. The argument would sound something like this: “If we don't participate and our competitor does, we will lose our positioning and possible favor with that government agency.“ Successful partnerships require buy-in from all parties; when industry participates reluctantly, success will be hard to achieve.
As with all relationships, both sides need to ask one another what will benefit the other party and then listen to the other party to better understand what they hope to obtain from the partnership and to develop the necessary trust for the relationship to succeed. For example, a common request from industry is to receive robust threat and intelligence information to accelerate better understanding about how they are being targeted, what information is being lost, and methods they can take to defend their information assets to include an offensive response. Industry seeks minimum thresholds for enterprise security to assist in raising a collective defensive posture. Moreover, they need our government to take stronger positions abroad in international standards fora so that they do not have to build their products to two or more different standards. Industry also needs the government to protect their competitive, proprietary data beyond the Freedom of Information Act provisions. For example, in a recent Forbes article, leading companies in the Defense Industrial Base were “called-out“ by their government partners for poor security postures; even if true, such statements obviously do not help build trust within the partnership. Finally, to facilitate information sharing within and across industry sectors, the government must review what it means by “collusive behavior“ in terms of security of our core businesses and infrastructures. Do we really want to penalize our industry for sharing effective practices for securing their digital assets as we do today?
So, what should be done? Both parties, government and industry, must articulate a direction for future engagement. Which venue takes precedence and why? Industry must be brave enough to say no, we cannot participate in one more effort. And the government, especially the Department of Homeland Security, and every other executive branch entity with more than one partnership addressing cybersecurity should review and eliminate the overlapping and duplicative efforts. Finally, we should look to Congress and the proposal from Senators Rockefeller and Snowe to stand-up a cybersecurity threat and vulnerability information clearinghouse. This clearinghouse, if organized as a non-profit institution that acts as the trusted facilitator and broker of information between the government and industry, may be the formula for creating the successful partnerships we need.
Why a non-profit? Because it will not compete with industry for the service, and because it will not be controlled by government, which carries baggage for some participants; in short, the clearinghouse must be seen as a neutral third party. At minimum, it could fast-track the private-private partnership and improve the private-public partnership. If constructed right, it could perform a “100% up-time“ service for industry sharing of information on threats observed by industry with industry, it could pass knowledge from the government to industry that removes the sensitive sources and methods that make it classified, and therefore make it more readily available to industry, and this third party clearinghouse could be the conduit of information flow to and through the remaining partnerships (public-public, private-private and private-public) to ensure industry as a whole is more able to secure their information assets. This “super“ partnership could provide for the immediate operational need that industry must fill.
Our most important resource right now is time. Targeted attacks on industry are increasing and our defensive posture remains weak. While a sense of urgency is rising, I am afraid that we will see more partnerships emerge rather than consolidated efforts and investments across executive branch agencies or industry verticals. We cannot afford to wait and see who will lead and who will follow. So let's place some wise bets and be bold and try to make one or two of these private-public partnerships successful. We can no longer afford to fall short of operationalizing the private-public partnership and secure our Nation's networks. I am willing to double down, are you?
Melissa Hathaway is President of Hathaway Global Strategies, LLC and Senior Advisor at Harvard Kennedy School's Belfer Center. Previously she served as Senior Advisor to the Director of National Intelligence and Cyber Coordination Executive during the administration of President George W. Bush, and as Acting Senior Director for Cyberspace for the National Security Council during the administration of President Barack Obama.