NIST Official: Businesses Need to Take More Responsibility for Cybersecurity


The need for public-private collaboration on cybersecurity has been echoed by other cyber experts.

When it comes to cybersecurity, the relationship between businesses and the government has been mostly all carrot and no stick. 

And most federal officials say that's the only way to make cyber improvements actually stick around in the commercial sector

Donna Dodson leads the National Institute of Standards and Technology's National Cybersecurity Center of Excellence, which aims to work with businesses to improve their cybersecurity posture, often by helping them find commercially available technology. While cybersecurity guidance can originate within the federal government, the market must independently promote the technology for it to last, she told Nextgov

The need for public-private collaboration on cybersecurity has been echoed by other cyber experts. Last week, Department of Homeland Security's cybersecurity and communications office's chief technology officer, Peter Fonash, said businesses need to be able to exchange up-to-the-minute threat information with the government, for instance. 

Dodson said her team is working to hand over some projects to the private sector. For instance, NIST's Center for Excellence jump-started the Identity Management Ecosystem Steering Group, which aims to combat fraudulent online identities, beginning in 2012. Today, the group is made up of commercial companies, including Microsoft and IBM. That group is meant to serve as a forum in which members can discuss and implement better ways to conduct and verify online credentials and transactions.

“To have a strong [identity management] ecosystem, while the government can spur some of that, it really needs to be run by the private sector," Dodson said. "It needs to be a market-based approach." 

In the past few years, NIST's Center for Excellence has begun working with more specific business sectors to design cybersecurity guidelines for them. For instance, Dodson's team released a guide for health systems using mobile devices to share patient information. While NIST has historically worked closely with the IT industry, focusing on specific sectors, such as financial services or health care, is much newer, Dodson said.

Still, she said, “I think we need to keep working on that tie in" between the public and private sector, to better communicate to businesses that "there’s the good and right thing to do in cybersecurity, and here's how those capabilities work in the real world."

(Image via MaximP/