Are Public-Private Cyber Partnerships Worth the Effort?
Fifteen years after the start of the Information Sharing and Analysis Center, what have you gained?
For quite some time now, government and industry have been investing substantial time and money on public/private cybersecurity partnerships. Indeed, it was back in 1998 that Presidential Decision Directive 63 introduced us to the term Information Sharing and Analysis Center, or ISAC. Government agencies began to facilitate the creation of sector-specific and multi-sector groups, all with eager anticipation that the clouds would part, the sun would shine and information would flow like water. We held out hope that, by working together, the government and the private sector would prove unstoppable. We believed that through public/private partnerships we could gather, analyze, sanitize and disseminate just the right amount of timely and actionable intelligence to allow the good guys to better defend themselves while the government identified the bad guys and brought them to justice. That was 15 years ago. We’ve learned a lot since then.
For starters, there was a host of legal questions that demanded answers. Private sector companies asked whether information sharing partnerships would violate antitrust laws. “No,” said the Department of Justice in 2000. Not as long as the information sharing exchanges are open on a non-discriminatory basis to sector members, and are limited to information about security program best practices and the identification of vulnerabilities. The private sector then expressed concern about the Freedom of Information Act, asking whether the government is required to disclose sensitive information it receives from its industry partners. Again, “no,” this time from federal courts, which held in 1992 that the government can withhold security information from FOIA disclosure as long as the information sharing was voluntary and the company normally would not provide that information to the public. Congress then passed the Critical Infrastructure Information Act of 2002 to statutorily protect certain information from being released under FOIA.