Industry should take the lead in public-private partnerships addressing cybersecurity, while the federal government reinforces the standards private sector organizations establish, according to a report from an association of intelligence and security professionals released on Tuesday.
An effective strategy for improving cybersecurity in government and industry should incorporate methods for detecting threats against computer networks and information systems, ensuring compliance with established security standards, and responding quickly to cyberattacks, according to a white paper the Arlington, Va.-based Intelligence and National Security Alliance released. The role of the private sector should be mostly "self-generated and self-imposed, based on a strong value proposition and market-based incentives," said the report's authors, which included government and industry security experts.
"The private sector has a history of self-help and has provided necessary services for the public throughout history; yet this problem is exceedingly complex and government support is absolutely necessary to make it work," said Ellen McCarthy, president of INSA. "A partnership based on industry leadership, with a circumscribed but meaningful role for government, has the potential to make the Internet more securable without greatly impeding on the IT market or the performance and utility of [computer] networks."
Specifically, the role of the federal government should be to regulate cyberspace, enforce law, and defend against and respond to threats and attacks against the nation's interests, according to the report. The Homeland Security Department should take the lead in those federal responsibilities, working with a cybersecurity panel of representatives from industry and government organizations that would establish security requirements for Internet service and telecom providers and hardware and software vendors.
"One of the main impediments to effective collaboration and information sharing right now is a complicated legal regime," McCarthy said. "Establishing a joint body to act as the center for information sharing would help to coordinate action and policy and alleviate some of these concerns. Also, the government should employ the carrot more liberally than the stick in creating these partnerships; if there are significant incentives to be had through effective partnership, they can provide needed impetus for the development of solutions to these problems."
Federal government also could formalize the public-private partnership model and approach Congress to gain their "participation and blessing," noted the report, which also recommended "self-inspection" by industry for compliance with established security standards, industry tracking of cyberspace for potential threats without liability risk and ongoing testing of computer systems to determine how they could withstand attacks.
INSA's recommendations were based in part upon three existing public-private partnership models: the Federal Aviation Administration, which issues directives to ensure flight safety and regulate airline manufacturers and operations; the Coast Guard, which cooperates with boaters and operators to establish safety measures, but primarily takes on a law enforcement role; and the self-regulating North American Electric Reliability Corporation, which develops security standards for individual power plants that a federal commission enforces.
Congress and federal regulators, however, have criticized NERC's process, saying it would not respond quickly to urgent national or cybersecurity risks. The report acknowledged such shortcomings in the model, noting, "the time scales involved in cyber development, incident response and threat indications are all vastly shorter than anything in other public-private partnerships."
"What drew INSA to NERC was the idea of an organization that began as an all-private initiative and created and enforced standards upon its own members for years before there was a role for the federal government," McCarthy said. "We also were particularly interested in [FAA's] narrow focus on flight safety, allowing it to be effective [while limiting] adverse impacts on the airlines. [But] all in all, no one example fit perfectly."