The IT Security Entrepreneurs' Forum brings together startup companies that have developed cutting-edge cybersecurity technology with established corporate and government leaders to discuss if and how the new tools can be used. The event, which will be held March 16-17 at Stanford University, is hosted by Security Innovation Network, a group founded to encourage collaboration between government and industry to speed the development of security innovations.
Nextgov spoke with SINet founder Robert Rodriguez about a week before the forum about the state of collaboration between government and business. Rodriguez retired from federal government in 2004 after serving in the Secret Service for more than two decades and heading the San Francisco Electronic Crimes Task Force, which established working relationships among government, public, private and international stakeholders to establish strategies for better protecting computer infrastructures.
Nextgov: What inspired you to form SINet?
Rodriguez: : When I was in San Francisco, I fell in love with the entrepreneurial spirit in Silicon Valley and became passionate about bringing disparate groups together focused on cyber. Success in this area starts with awareness, education, training and relationship building.
Nextgov: Why is public-private collaboration such a hard thing to do?
Rodriguez: : You have acquisition language that suffocates innovation, [because] it was built at time when the Internet was not as dynamic. There needs to be a better way for communicating the needs and requirements for system integration. How can you build a solution when you don't understand what you need to build to? Then, on the other side, there's a lack of understanding of government processes [in the private sector]. This creates a cultural divide.
Nextgov: Do the federal government and industry view cybersecurity differently?
Rodriguez: : Government, the Defense Department in particular, is very risk averse, and for good reason. But the adversaries are innovating faster than we are and chipping away at [legacy systems] a bit at a time.
There are technologies that can help stop the bleeding. They might not be the silver bullet, but [government] can't wait for things to be perfect. It's a balance that starts with awareness of the innovation happening across America. Instead of trying to reinvent or build new products, why not partner with the small company and hold its hand to advance security that way?
There are lessons to be learned for both industry, which moves at warp speed, and government, which focuses on mitigating risk. We need to find a balance. The adversaries attacking our system don't face the same challenges. They don't have corporate governance, privacy, budget, bureaucracy and policy issues to consider, nor do they have the moral and ethical questions to consider. That makes their job far easier.
Nextgov: You mentioned procurement. This seems to be a major sticking point to true collaboration. How much regulation is appropriate?
Rodriguez: : If you don't adhere to government procurement requirements, guidelines and rules, you put [systems] at great risk. However, we can't wait two years to identify and integrate products. We've got real problems and we can't wait for perfect. Someone needs to take action. I'm not saying boil the ocean, but if the average time, cradle to grave, to get a solution [developed and deployed in a federal agency] is 24 months, how about we set a goal of 20 months? And then from there, maybe we set a goal of 16 to 18 months.
Nextgov: Another concern of industry seems to be liability. If companies sharing critical information about cybersecurity with government, will they be held responsible when breeches or attacks occur? What can government do anything?
Rodriguez: : That's a hard question, but policy is a critical component to addressing these problems. We're in the beginning of the Internet [revolution]. We need to get on the front end of the threats and that requires a combination of technology innovation and leadership, good management, well thought-out system architectures, and policy that is the result of industry practitioners and legislators working together.
Public-private partnership is a beautiful model to believe in and it works, but we need to take an asymmetrical approach that encourages mutually beneficial relationships. It needs to be a national approach that is community-based. It's hard for the Homeland Security Department to truly enable public-private partnership across the nation, because there isn't that element of trust. We've got to move from a "me" to "we" mentality, with the proper leadership in place. With Howard Schmidt as the White House's new cybersecurity coordinator, we know we have a leader with a huge relationship base. That's a big help.