Cyber Tactics / Cyber Security News

Are Public-Private Cyber Partnerships Worth the Effort?

Fifteen years after the start of the Information Sharing and Analysis Center, what have you gained?

For quite some time now, government and industry have been investing substantial time and money on public/private cybersecurity partnerships. Indeed, it was back in 1998 that Presidential Decision Directive 63 introduced us to the term Information Sharing and Analysis Center, or ISAC. Government agencies began to facilitate the creation of sector-specific and multi-sector groups, all with eager anticipation that the clouds would part, the sun would shine and information would flow like water. We held out hope that, by working together, the government and the private sector would prove unstoppable. We believed that through public/private partnerships we could gather, analyze, sanitize and disseminate just the right amount of timely and actionable intelligence to allow the good guys to better defend themselves while the government identified the bad guys and brought them to justice. That was 15 years ago. We’ve learned a lot since then.

For starters, there was a host of legal questions that demanded answers. Private sector companies asked whether information sharing partnerships would violate antitrust laws. “No,” said the Department of Justice in 2000. Not as long as the information sharing exchanges are open on a non-discriminatory basis to sector members, and are limited to information about security program best practices and the identification of vulnerabilities. The private sector then expressed concern about the Freedom of Information Act, asking whether the government is required to disclose sensitive information it receives from its industry partners. Again, “no,” this time from federal courts, which held in 1992 that the government can withhold security information from FOIA disclosure as long as the information sharing was voluntary and the company normally would not provide that information to the public. Congress then passed the Critical Infrastructure Information Act of 2002 to statutorily protect certain information from being released under FOIA.

Next came issues of trust, the emergence of legally binding non-disclosure agreements, time-consuming background checks, a review of government classification procedures, consideration of the sticky problem of global companies wanting to share sensitive government threat and vulnerability information with their security officers abroad, as well as our government wanting to share sensitive U.S. business vulnerability information with the law enforcement and intelligence agencies of other countries. Then there were the actual partnership meetings, during which time a significant number of people came as free riders who shared nothing and only participated for a chance to mingle and develop business.

Yet, the most challenging aspect of public/private cybersecurity partnerships may be more fundamental than the above issues: defining and then meeting the government’s and the private sector’s expectations of one another. According to the General Accountability Office, the majority of private sector participants have not had their expectations of working with the government met with respect to the receipt of timely and actionable cyber threat information or cyber alerts, or access to actionable classified or sensitive information such as intelligence and law enforcement information.

So, where does that leave the cyber public/private partnership model? Fifteen years of lessons-learned might lead us to reach a number of important conclusions. First, the most promising joint government/industry outcomes have been and likely will remain at the strategic level rather than at the tactical level. This includes, for example, the sharing and co-development of risk management plans and security best practices, as well as conducting joint incident response training exercises. We would do well in this regard to achieve government/industry consensus on what success looks like against the cyber security problem, and to adopt outcome-oriented metrics to measure our progress in reducing risk to acceptable levels. Second, although we now know that information sharing initiatives between the government and the private sector have inherent limitations when it comes to collecting and disseminating large quantities of time sensitive data, they are well suited to support collaborative efforts where the parties work together to identify and substantially resolve specific, high-risk, continuing problems. Third, while the government often warns the private sector about ongoing or imminent cyber intrusions, more must be done in partnership with the private sector to focus on raising the costs to the attackers. It is time for the government and industry to join forces to develop and implement technologies and policies that focus less on the vulnerability mitigation aspects of passive defense, and more on the threat mitigation aspects of hacker detection, attribution and punitive response. Fourth, in recognition of the global aspects of both the cyber problem and its solutions, the government and private sector must work together to envision and then drive strategically effective international standards, norms, research and development and multilateral relationships that better position us for the long term.

Which leads me to ask and answer the question, “Are cyber partnerships worth the effort?” Done right, they are absolutely essential. 

 

About the Columnist: 

 Steven Chabinsky is Chief Risk Officer and Senior Vice President of Legal Affairs for cybersecurity technology innovator CrowdStrike.  He previously served as Deputy Assistant Director of the FBI’s Cyber Division. His commitment to government/industry alliances began in 1998 when he helped nationalize and lead InfraGard from a few hundred participants to a membership of over 50,000. Last year, he was honored as the sole recipient of the 2012 Financial Services ISAC Public/Private Sector Partnership Award. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

July 2014

2014 July

In the July issue of Security Magazine, read about how the NFL is balancing security with fan experience to make sure sporting events are running smoothly. If you're doing any traveling this summer, be sure to read the 5 hot spots for business travel security, also, employers can track on-the-go employees with new mobile apps. Also, check out the latest news and industry innovations for the security industry.

Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+