For quite some time now, government and industry have been investing substantial time and money on public/private cybersecurity partnerships. Indeed, it was back in 1998 that Presidential Decision Directive 63 introduced us to the term Information Sharing and Analysis Center, or ISAC. Government agencies began to facilitate the creation of sector-specific and multi-sector groups, all with eager anticipation that the clouds would part, the sun would shine and information would flow like water. We held out hope that, by working together, the government and the private sector would prove unstoppable. We believed that through public/private partnerships we could gather, analyze, sanitize and disseminate just the right amount of timely and actionable intelligence to allow the good guys to better defend themselves while the government identified the bad guys and brought them to justice. That was 15 years ago. We’ve learned a lot since then.
For starters, there was a host of legal questions that demanded answers. Private sector companies asked whether information sharing partnerships would violate antitrust laws. “No,” said the Department of Justice in 2000. Not as long as the information sharing exchanges are open on a non-discriminatory basis to sector members, and are limited to information about security program best practices and the identification of vulnerabilities. The private sector then expressed concern about the Freedom of Information Act, asking whether the government is required to disclose sensitive information it receives from its industry partners. Again, “no,” this time from federal courts, which held in 1992 that the government can withhold security information from FOIA disclosure as long as the information sharing was voluntary and the company normally would not provide that information to the public. Congress then passed the Critical Infrastructure Information Act of 2002 to statutorily protect certain information from being released under FOIA.
Next came issues of trust, the emergence of legally binding non-disclosure agreements, time-consuming background checks, a review of government classification procedures, consideration of the sticky problem of global companies wanting to share sensitive government threat and vulnerability information with their security officers abroad, as well as our government wanting to share sensitive U.S. business vulnerability information with the law enforcement and intelligence agencies of other countries. Then there were the actual partnership meetings, during which time a significant number of people came as free riders who shared nothing and only participated for a chance to mingle and develop business.
Yet, the most challenging aspect of public/private cybersecurity partnerships may be more fundamental than the above issues: defining and then meeting the government’s and the private sector’s expectations of one another. According to the General Accountability Office, the majority of private sector participants have not had their expectations of working with the government met with respect to the receipt of timely and actionable cyber threat information or cyber alerts, or access to actionable classified or sensitive information such as intelligence and law enforcement information.
So, where does that leave the cyber public/private partnership model? Fifteen years of lessons-learned might lead us to reach a number of important conclusions. First, the most promising joint government/industry outcomes have been and likely will remain at the strategic level rather than at the tactical level. This includes, for example, the sharing and co-development of risk management plans and security best practices, as well as conducting joint incident response training exercises. We would do well in this regard to achieve government/industry consensus on what success looks like against the cyber security problem, and to adopt outcome-oriented metrics to measure our progress in reducing risk to acceptable levels. Second, although we now know that information sharing initiatives between the government and the private sector have inherent limitations when it comes to collecting and disseminating large quantities of time sensitive data, they are well suited to support collaborative efforts where the parties work together to identify and substantially resolve specific, high-risk, continuing problems. Third, while the government often warns the private sector about ongoing or imminent cyber intrusions, more must be done in partnership with the private sector to focus on raising the costs to the attackers. It is time for the government and industry to join forces to develop and implement technologies and policies that focus less on the vulnerability mitigation aspects of passive defense, and more on the threat mitigation aspects of hacker detection, attribution and punitive response. Fourth, in recognition of the global aspects of both the cyber problem and its solutions, the government and private sector must work together to envision and then drive strategically effective international standards, norms, research and development and multilateral relationships that better position us for the long term.
Which leads me to ask and answer the question, “Are cyber partnerships worth the effort?” Done right, they are absolutely essential.
About the Columnist:
Steven Chabinsky is Chief Risk Officer and Senior Vice President of Legal Affairs for cybersecurity technology innovator CrowdStrike. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. His commitment to government/industry alliances began in 1998 when he helped nationalize and lead InfraGard from a few hundred participants to a membership of over 50,000. Last year, he was honored as the sole recipient of the 2012 Financial Services ISAC Public/Private Sector Partnership Award.