CYBEREYE

Public-private effort on cybersecurity needs a push from Congress

Incentives can help, but a regulatory framework could be essential to ensuring security

A White House report that highlights cybersecurity accomplishments during the 14 months since the release of the Cyberspace Policy Review includes some notable accomplishments. A cybersecurity coordinator has been appointed, a military cyber command has been established, and national strategies for trusted online identities and incident responses have been initiated. Domain Name System Security Extensions protocols are being deployed to help secure the DNS, and the Comprehensive National Cyberspace Initiative is being updated.

One of the biggest challenges remaining in securing the nation’s information infrastructure is ensuring the cooperation of government, which has responsibility for the nation’s defense, with the private sector, which owns and operates the majority of the critical systems.


Related stories:

White House just getting started on cybersecurity

DNSSEC now fully deployed on the Internet root


That challenge has long been recognized. The White House report notes that “government and the private sector are partnering” or “working together” to reduce financial risks from cyber threats, identify and reduce vulnerabilities from new devices such as smart phones, and protect industrial control systems. But despite those efforts, too little progress has been made.

The need to improve the relationship between government and the private sector is a constantly recurring theme in cybersecurity. After years of lip service, information is being shared, but not on a scale or with a speed that is necessary to meet the demands of cyberspace.

The private sector complains that government is unwilling to share intelligence with industry, and industry is unwilling to share with government because of concerns about liability and the possible exposure of proprietary information. As a result, we are still waiting for a real public-private partnership.

President Barack Obama and other government officials reiterated to industry executives at a White House meeting last month that the administration’s approach to cybersecurity would be based on incentives for cooperation rather than on regulation. But some regulatory authority might be necessary to get an effective level of cooperation.

The problem is the conflict between the core interests and responsibilities of the two sectors. It is the government’s job to protect; the private sector’s job is to turn a profit and protect competitive advantages. Those two roles do not conflict so much in the real world, where government can defend its borders and leave industry mostly free to operate. But in cyberspace, the absence of easily defensible borders means we’re all in the fight together.

In the end, the private sector will likely need to accept some meaningful government regulation on cybersecurity, establishing standards of practice and baselines of security that can be enforced. The alternatives are to accept the status quo with large gaps in cyber defenses or turn control of cybersecurity entirely over to the government.

No one is satisfied with the status quo, and the specter of the National Security Agency or the Cyber Command assuming control of the nation’s critical infrastructure raises serious concerns about civil liberties and privacy. The sensible course is a reasonable set of regulatory standards that define the rights and responsibilities of each side in a public-private partnership, ensuring that government and industry each hold up their ends of the bargain and provide the information that the other needs.

Voluntary incentives are fine, but some baseline of compliance is necessary.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Thu, Aug 5, 2010

National ID card? No thank you. Bad enough they are back-dooring their way into it with the Real ID drivers license standards, but at least those are seperate databases for now. Hey, I've worked for the Feds for 30 years, and I don't trust them as far as I can throw them. No, I'm not a conspiracy kook- no malice is required when the incompetency level is high enough- the end result is the same. It is called entropy.

Wed, Aug 4, 2010

Technically, it is called the comprehensive national cybersecurity initiative, not cyberspace.

Wed, Aug 4, 2010 John Q

As is usually the case, constant finger-pointing will occur until the Government takes the first step. Just build a system that Industry wants to compete with, and they eventually will... The first step should be a Secure National ID Card based on FIPS201 standards. Make it the NextGen SSN Card. Fund the Post Office to setup a service to vet all users and issue the initial smartcards (they already do Passports and once promoted a National Public Key Infrastructure). Digitally Sign the basic SSN cards in a fashion similar to E-Passports, but also allow individuals to purchase Advanced SmartCards and Permanent Email Addresses, so the Post Office can earn added Revenue Streams. Using Commercial Certificate Authorities (ie. Shared Service Providers) will induce their participation and build the link to commercial adoption... Secure the containers on enhanced cards using the Card Holders' Biometrics or Personal PINs so they can import additional Certificates from Banks or other services in the future. No need to reinvent the wheel here... just do it!

Tue, Aug 3, 2010

Can the Government defend our borders? Let me take you on a hike in SE AZ!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above