Lack of trust still hinders public/private security efforts
Both sides understand the problem but feel the need to protect their own information
If there is a single phrase that has been consistently overused in the 15 years I have been covering cybersecurity, it is “public/private partnership.” If I had a nickel for every time I’ve written those words — well, I wouldn’t be rich, but I probably could buy dinner at a nice restaurant for myself and a few friends.
So why is cooperation between government and industry still so hard to come by? Although both sides agree on the need for cooperation in securing the nation’s critical infrastructure, the same complaints are being made today as in 1995. Each party accuses the other of holding out, and each says the other can’t be trusted with its sensitive information.
Which country is most feared as a cyber threat? Guess again.
Online threats continue to outpace government and industry’s ability to respond
The problem does not seem to be caused by a lack of understanding or will. There are the industry-sector Information Sharing and Analysis Centers and the FBI’s InfraGard program, in which local field offices partner with companies in the critical infrastructure area. But each partner in those efforts often feels it is giving more than it gets in return.
Neither government nor industry has ever developed a culture of trust. They are top-down hierarchies in which information is power and is best used to gain an advantage over another party, and those habits are hard to break. Get the two in a room together and everyone is cordial, but there is about as much real trust as you find between the Corleones and the Barzinis.
The situation was illustrated recently at the release of a report on critical infrastructure security commissioned by McAfee and written by the Center for Strategic and International Studies. Government and industry officials shared the dais and emphasized the need for cooperation. But Adam Rice, chief security officer at Tata Communications, a Tier 1 Internet carrier, described meetings with FBI and Homeland Security Department officials in a search for information: “We smile at each other, but I don’t take anything away from the meetings that are helpful in protecting the infrastructure,” he said.
On the other side, government is frustrated with the level of cooperation offered by the private sector. “That has always been a sore point with government,” said Stewart Baker, a former assistant secretary for policy at DHS and lead author of the report.
Each side has legitimate concerns. Government agencies are leery of giving up sensitive information that could compromise confidential sources. Companies are concerned about losing control of proprietary information that could hurt stock prices or help competitors.
The private sector, which operates the majority of the nation's critical infrastructure and has security equipment installed on networks throughout the world, has the comprehensive visibility of systems that the government can only dream of. Government has the power to regulate access to nontechnical intelligence that can help make sense of that technical data.
Given the potential for abuse, getting the two sides to effectively cooperate admittedly could be scary. But it also could be necessary. It is not likely to happen until the two come together and, instead of asking, “What do you have for me?,” say, “What can I do for you?”