CYBEREYE

Lack of trust still hinders public/private security efforts

Both sides understand the problem but feel the need to protect their own information

If there is a single phrase that has been consistently overused in the 15 years I have been covering cybersecurity, it is “public/private partnership.” If I had a nickel for every time I’ve written those words — well, I wouldn’t be rich, but I probably could buy dinner at a nice restaurant for myself and a few friends.

So why is cooperation between government and industry still so hard to come by? Although both sides agree on the need for cooperation in securing the nation’s critical infrastructure, the same complaints are being made today as in 1995. Each party accuses the other of holding out, and each says the other can’t be trusted with its sensitive information.


Related stories:

Which country is most feared as a cyber threat? Guess again.

Online threats continue to outpace government and industry’s ability to respond


The problem does not seem to be caused by a lack of understanding or will. There are the industry-sector Information Sharing and Analysis Centers and the FBI’s InfraGard program, in which local field offices partner with companies in the critical infrastructure area. But each partner in those efforts often feels it is giving more than it gets in return.

Neither government nor industry has ever developed a culture of trust. They are top-down hierarchies in which information is power and is best used to gain an advantage over another party, and those habits are hard to break. Get the two in a room together and everyone is cordial, but there is about as much real trust as you find between the Corleones and the Barzinis.

The situation was illustrated recently at the release of a report on critical infrastructure security commissioned by McAfee and written by the Center for Strategic and International Studies. Government and industry officials shared the dais and emphasized the need for cooperation. But Adam Rice, chief security officer at Tata Communications, a Tier 1 Internet carrier, described meetings with FBI and Homeland Security Department officials in a search for information: “We smile at each other, but I don’t take anything away from the meetings that are helpful in protecting the infrastructure,” he said.

On the other side, government is frustrated with the level of cooperation offered by the private sector. “That has always been a sore point with government,” said Stewart Baker, a former assistant secretary for policy at DHS and lead author of the report.

Each side has legitimate concerns. Government agencies are leery of giving up sensitive information that could compromise confidential sources. Companies are concerned about losing control of proprietary information that could hurt stock prices or help competitors.

The private sector, which operates the majority of the nation's critical infrastructure and has security equipment installed on networks throughout the world, has the comprehensive visibility of systems that the government can only dream of. Government has the power to regulate access to nontechnical intelligence that can help make sense of that technical data.

Given the potential for abuse, getting the two sides to effectively cooperate admittedly could be scary. But it also could be necessary. It is not likely to happen until the two come together and, instead of asking, “What do you have for me?,” say, “What can I do for you?”

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Mon, Feb 15, 2010 Robert "Bob"Donelson Washington DC

Agreed, the use of "Public/Private Partnerships at the Macro Level is akin to a theoretical discussion of drinking the Oceans and is overused. Focusing Public/Private partnerships discussions to achieve relative trust on specific needs is from my perspective not out of the question and achievable. The Development of the FIPS-201 Standards extending to the PIVI public sector standards is a case in point of achievable trust. The Government Smart Card IAB and the Private Sector Partnered to achieve a rapidly growing standard to secure both public and private sector networks to increase trust. Other Government Organizations should consider the lessons learned from that body of work which has created over 400 new commercial lab approved products, grew jobs and improved government. Respectfully Submitted Robert "Bob" Donelson Retired Federal Employee and Past Chair to the Government Smart Card IAB

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above