Cybersecurity and Public-Private Partnerships

A coalition of information technology and civil liberties organizations released a joint white paper last week on improving cybersecurity through public-private partnerships. The report is an interesting synthesis of the priorities and concerns of a very broad coalition, and worth reviewing. Larry Clinton, the President and Chief Executive Officer of the Internet Security Alliance, played a central role in the study and took time to answer a few brief questions.

Q: There have been a number of cybersecurity reports over the past couple of years, from the public and private sector. What would you say your new report adds to the debate?

A: First, this document is embraced by a coalition far wider than just the ISA. In addition to the size and breadth of the coalition, is the fact that it brings together traditional advocacies in the cybersecurity space. Historically, the "partisan divide" in cybersecurity has been the users who complain they are sold buggy equipment and the vendors who note users don't want to pay for security and don't keep the equipment properly updated. We have brought together both sides on this document, plus the civil liberties community.

Second, this document is by far the most specific document in this space with respect to policy. Normally you will see a coalition of this size able to agree on a one- or two-page letter. This is a detailed 22 page white paper with very specific policy recommendations.

Third, this document extends and explains why a partnership is the only practical way to proceed, but also what needs to be done to strengthen the partnership. In doing so it makes some subtle but important extensions on the policy discussion. For example, several of the documents you mention suggest that cybersecurity needs to be analyzed via a risk management framework -- nothing new there. However this document, uniquely compared to the others you cite, analyzes what the different risk perspectives are for the partners based on their legal responsibilities and explains why there will be a natural gap between the risk tolerance on the private sector side and that on the public sector side.

In sum this document has broader support, deeper analysis, and more precise handling of the critical issues that have hampered the maximum evolution of the public private partnership.

Q: Having reviewed your new report, you take up some issues that we've seen mature in the debate on the Hill, such as privacy, international engagement, and support for research and development. Is there anything being discussed on the Hill or in the administration that you're concerned about right now?

A: This paper is not written in response to any specific bill or initiative. We are aware of course that there were a couple of bills that began their way through the legislative process last year, but they did not gather enough support to get to the floor. And neither the House nor the White House have weighed in on legislation.

We have been meeting on a weekly basis, often several times a week, for more than 6 months to put this paper together precisely because we wanted to get it into the policymakers' hands before they wrote their bills and reports.

Everyone knows that the private sector owns, operates, and frankly, creates and manages the vast majority of what makes up the Internet. The public sector absolutely needs the private sector's help and even more so, their expertise, in order to secure the system.

Last year the Senate staff made a yeoman's effort to reach out to the private sector. However staff complained, justifiably, that with so many different individual voices it became difficult for them to know which private sector voice to listen to.

That's why these 5 organizations decided to pull themselves together and speak in one clear voice as to what needed to be done in partnership to strengthen our cybersecurity and do it in a way that will not only be effective but be sustainable.

Q: I was interested in your report's recommendations around federal R&D in cybersecurity. You seem to be calling for greater direction from the federal government on priorities in cybersecurity R&D for the private sector, but doesn't that run contrary to the idea that the private sector should innovate solutions?

A: I don't read our report that way at all. The fact of the matter is that the private sector will continue to be the major driver of innovation for information technology. Indeed we note that one of the major needs we hope to address is the need for greater private sector investment in cyber security technologies.

However, our federal partners do have a role to play, and in some cases, such as where there will be no ascertainable private sector profit motive, the public sector may have a lead role. But for the most part we believe the private sector side will and ought to take the lead.

However, just as there was perhaps confusion among our private sector partners last year because there was a jumble of private sector voices for cybersecurity, there is an equal jumble with respect to public sector priorities. We need our federal partners to develop a plan and work with us so that it will be practice for their unique needs -- not for innovation in general.

Q: ISA has identified the accurate assessment of cyber risk as key component of improving cybersecurity. Would you support the SEC issuing more robust guidelines on calculating and disclosing cyber risk in companies' corporate filings? This would provide an incentive for companies to invest in cybersecurity since shareholders and potential investors would respond to unaddressed "material risks."

A: This is an idea we are looking at, but have not come to a consensus as an organization on. Some of the information I've received so far seems contradictory. My understanding is that the SEC already does do some of this and that there are actually a number of companies who have reported such, and I'm not sure that has had the predicted response.

Did shareholders stop investing in the companies that have reported material risks of this sort? It's my impression that shareholders respond to the notion of profitability, and unless these material risks can be linked to that, I'm not sure this is the solution.

This also doesn't seem to appreciate the varying standards of risk tolerance that are economic for a company. If a retailer knows that 10 percent of his inventory is "walking out the back door" every month, but realizes it may cost 11 percent to put up the guards and cameras hire new staff etc. Then, it is in fact economic and a wise decision from the shareholders' perspective for the retailer to tolerate that level of insecurity.

The problem comes wherein we have a shared network where not all the costs of insecurity are in fact born by the insecure party. What we are seeing now is a tremendous growth in insecurity that comes from interconnection with partners and vendors for who the initial corporation may have no good way to assess their security -- yet modern business models and competitiveness are driving these sorts of relationships.

Or, take for example, the issue of cloud computing. Everyone (including the government, which just announced its "cloud first" program) seems to be going to the cloud. Yet more than two-thirds of IT professionals in the most recent Global Information Security Survey said they had little or no confidence that the data they put in the cloud is secure (including 49 percent who have already put their data there).

Why is there this inconsistency? Because the cloud is so economically justified. Entities, and I suspect stockholders, will embrace insecure business models like, presumably, cloud, because it's so economically justifiable. The government hopes to save up to 50 billion annually by going to the cloud.

So there seems to be a lot of research to do to verify that this proposal will indeed make a difference in solving the problem -- and there are substantial downsides such as capital flight from U.S.-based firms to other companies who don't have this requirement.

We have advocated a much more direct way of addressing the economics of cybersecurity. We start by understanding that digitization has fundamentally changed the economics of business (as it has just about everything else also) and we seek to put in place the market incentives that will directly support more investment in cybersecurity.