Cybersecurity solution needs better partnerships, not more rules, group says

A coalition of industry organizations is warning against abandoning the partnership model for infrastructure protection, calling instead for increased cooperation and financial incentives.

The current model of public-private partnership for cybersecurity is effective and should not be abandoned in favor of a new regulatory regime, a coalition of IT industry and civil liberties organizations is warning.  

What are needed instead are clearly defined roles for all parties and economic incentives for businesses in securing nation’s critical infrastructure, according to an industry white paper released today.

“A strong framework for promoting cybersecurity through a public‐private partnership is already in place, and industry and government have devoted substantial resources to it,” the paper concluded. “There is no need to create a new one, or to replace the existing partnership model with a system of government mandates that would erode trust, threaten privacy and undermine voluntary cooperation. This would be a setback for cybersecurity.”


Related coverage:

White House just getting started on cybersecurity

Critical infrastructure protection calls for carrots and sticks


The paper was produced by the Business Software Alliance, the Center for Democracy and Technology, the Internet Security Alliance, TechAmerica, and the U.S. Chamber of Commerce. ISA president Larry Clinton called it a consensus statement from the business and civil liberties communities.

“I view this as a very pragmatic document,” Clinton said.

The goal was to cut through what Clinton called the “cacophony” of voices on how to improve the nation’s cybersecurity with “a unified voice to the White House and to Congress.”

The paper builds upon recommendations for improving security in key areas identified in the Obama administration’s Cyberspace Policy Review, and it begins with the assumption that efforts at establishing public-private partnerships have not failed but need to be bolstered.

The nation’s critical information infrastructure -- which includes the Internet, public and private networks and systems supporting key areas such as transportation and power distribution -- has come under increased attack at the same time the nation has become increasingly dependent on it. Most of the technology and processes for effective security exist, but implementing them across a complex environment is a challenge. This is complicated by the fact that ownership and operation of the infrastructure is split between a large number of government and privately owned organizations.

The core of the challenge is that government and industry have different goals and responsibilities, Clinton said. Government is charged with providing for the nation’s defense and common welfare, while business has a responsibility to increase shareholder value.

“The public sector assesses risk differently from the private sector,” Clinton said. Businesses take a dollars-and-cents approach that is not appropriate to national security. Business must move toward a common ground with government but cannot be expected to fund investments that are not economically effective. “Government is going to have to find ways to make the appropriate incentives to business and they are going to have to do it in the current economic reality,” he said.

Recommended incentives include implementing a research and development tax credit; funding grants for emergency preparedness and response; streamlining regulatory requirements; updating the SAFETY Act, which provides a mix of marketing, insurance and liability benefits; enforcing liability protection; and promoting the growth of a cyber insurance industry.

Other recommendations include:

  • Risk Management: Government and industry need to recognize that risk‐management perspectives stem from different roles and responsibilities; government demands a higher standard of care, but market incentives need to be available to accommodate noncommercial needs for security.
  • Incident Management: Government should fully establish industry’s seat in an integrated watch center and begin efforts to increase industry’s presence; industry should ensure a long‐term plan for filling the watch center seats; and participants should report lessons learned from collaborative exercises as soon as possible and undertake improvement measures on a timely basis.
  • Information Sharing and Privacy: Information sharing for cybersecurity purposes should be transparent and should comply with fair information practice principles. Government should consider how it can share more classified and sensitive information, particularly the parts of that information that can help the private sector defend its systems. Congress should consider whether narrow adjustments to surveillance laws are needed for cybersecurity purposes.
  • International Engagement: Industry and government need to engage in international organizations and standards‐making processes and work together to develop a strategy for engagement, capacity building, and collaboration on issues of global concern.
  • Supply Chain Security: The government should expand its participation in development of international supply chain security standards and then leverage those standards in its acquisitions process.
  • Innovation and Research & Development: Government and industry should cooperate to create a National Cybersecurity Research and Development Plan with prioritized objectives and a detailed road map for each partner, regularly reviewed and adjusted as necessary.
  • Education and Awareness: Enhance cybersecurity public awareness and education and increase the number of cyber professionals through policies to boost the number of graduates in science, technology, engineering and mathematics programs.

Clinton said the paper was provided to White House staff several weeks ago and that industry representatives would be briefing House and Senate staffers Friday.