Everyone agrees that public/private partnerships are necessary to improve cybersecurity. So why is everyone still asking for them?
It wasn’t an official theme of last month’s conference, but the common thread running through comments from government officials speaking at the RSA Security Conference in San Francisco was the need for cooperation and collaboration between government and the private sector.
Government can't do the job alone, they reiterated. It has neither the authority nor the expertise to protect the nation’s critical infrastructure. Successful public/private partnerships need to be real, and they need to be two-way streets, said Philip Reitinger, deputy undersecretary at the Homeland Security Department and director of DHS' National Cyber Security Center.
Those calls, from both industry and government, go back years. But the theme song for this search could be U2’s "I Still Haven't Found What I'm Looking For."
Why is this still so hard? Because each side is looking for something different.
A couple of exchanges during the cryptographers’ panel at the conference illustrate this. The National Security Agency’s Dickie George, technical director of the information assurance directorate, took the stage with some of the name-brand pioneers of cryptography. Adi Shamir — the “S” in RSA — said to George that NSA should take advantage of academic expertise and come to private-sector researchers for help with problems that are not highly classified, a suggestion that George said he would be happy to accept.
Whitfield Diffie, of the Diffie-Hellman Exchange, repeated to George a request that he had earlier made in writing that NSA be more forthcoming in publishing old, unclassified documents. George acknowledged the request but made no other response.
Admittedly, NSA is not a typical agency. But the exchanges typify the relationship between government and the rest of the world. Government is more than willing to accept all the help it can get but remains reluctant to share its information. On the other hand, industry is frustrated at what it sees as an all-too-often one-way relationship.
Deputy Defense Secretary William Lynn, speaking at the same conference, said the Defense Department has a lot of information about threats and active defenses that industry could use. “We have the technology and the know-how to deploy this in the civilian context,” he said. But what is lacking is a policy to allow it.
Companies also are often hesitant to share sensitive information that they fear could become public once it's in the government’s hands.
That does not mean there's no cooperation. Government relies primarily on commercial security products, and in the long run, most government security comes from the private sector. Government specifies requirements for security in its acquisitions, and industry constantly is advancing its products and technologies. In the other direction, agencies are tasked with facilitating the sharing of information between companies through sector-specific Information Sharing and Analysis Centers.
But judging from the repeated calls for more cooperation, neither side is fully satisfied with the level of sharing. There is no one partnership that will fix all needs. There eventually will be myriad relationships among government, private industry and academia to shore up cyber defenses and present a more effective front to the hostile portion of cyberspace. But for the situation to improve, each side must be willing to trust the other and make real two-way sharing possible. Neither side can do the important job of securing cyberspace by itself.