What can China teach the U.S. about IT security?
Asian model of public/private interaction could hold some lessons
- By William Jackson
- Apr 22, 2011
One of the most interesting pieces of information to come out of McAfee’s second annual critical infrastructure protection report is the apparent connection between the amount of interaction companies have with their governments and their level of IT security.
“The report indicates a strong correlation,” McAfee CTO Phyllis Schneck said. Companies reporting frequent interaction and regular security audits, especially those in China and Japan, had a higher percentage of security measures implemented on their systems than companies in market-driven economies such as the United States and the United Kingdom.
“Based on these figures, if there is a race among governments to harden their civilian infrastructure against cyberattack, Europe and the United States are falling behind Asia,” the report states.
Lack of trust still hinders public/private security efforts
Trusted online identities plan hinges on collaboration
Unfortunately, Schneck added, “it is not quite defined what that relationship should be,” to obtain optimal security without compromising freedom.
The report, released last week in Washington, was based on a survey of 200 industry executives from critical infrastructure enterprises in 14 countries. The data was analyzed and supplemented by the Center for Strategic and International Studies.
In an effort to get more specific data, executives were asked about a list of 21 specific security controls, from patch and configuration management to application whitelisting and monitoring network connections. Nobody was doing everything that could be done, but China, Italy and Japan were at the top of the list, having implemented nearly 60 percent of available security measures. At the bottom was Brazil with 24 percent. The United States was in the middle with about 43 percent.
Asked about their interaction with government, “Chinese executives were at the top of the scale — reporting high levels of both formal and informal interaction,” the report said. “The other country with high public-private interaction was Japan, where cybersecurity oversight seems to have increased significantly over the last year.”
Executives in both countries also reported regular government audits of their security status, which was almost nonexistent in the United States.
“The companies that have the most interaction with government about security have begun to have more respect for each other and take the threats seriously,” said Stewart Baker, visiting fellow at CSIS and former assistant secretary of Homeland Security and counsel to the National Security Agency, in a panel discussion about the report’s findings.
So what does this mean for us? Government and industry have for years acknowledged that protecting the nation’s critical infrastructure requires a public-private partnership, but finding the right balance has been difficult. The private sector owns and operates the infrastructure, and government has the responsibility for national security. Neither side fully trusts the other with its secrets. Both sides are leery of government regulation.
But the message seems to be that government has an important role to play, if leaders only knew what it is.
“I don’t see a magic formula,” Schneck said.
Few would seriously propose that the United States adopt the security policies of China. But there are cultural as well as political differences between this country and Asia, and a non-regulatory relationship seems to produce results.
“One Japanese security expert attributed the high level of cooperation to the unique nature of Japan’s public-private security partnership,” the report said, with the executive telling surveyors that “government encourages the autonomy of critical infrastructure owners and operators [and] supports their self-motivating activities rather than regulating them.”
U.S. executives and government officials might not have the same attitude toward a partnership as their Japanese counterparts, but there might be something we can learn from them.
William Jackson is freelance writer and the author of the CyberEye blog.