The Emperor's New Public-Private Partnership

These days, there is much chatter in the cybersecurity space about the need for robust "public-private partnerships." Just last month, the Department of Homeland Security in its Blueprint for a Secure Cyber Future, discussed the need for clarification in existing law to strengthen the framework for public-private cooperation. Last week, a non-profit organization announced that in January it will launch the National Critical Infrastructure Cybersecurity Education Initiative, described as "a nationally coordinated public/private collaborative partnership aimed at developing cybersecurity education programs."

My question is simple: what does public-private partnership mean anyway? Beginning in 1998 when President Clinton issued Presidential Decision Directive 63, we have seen information sharing analysis centers (ISAC) for various sectors, sector coordinating councils, and various other "partnership" organizations, both formal and informal, within and between the government and critical (and not-so-critical) sectors. Yet, each year the call for public-private partnerships get louder.

Pending bills within the Senate and House attempt to address the public-private partnership issue but it is unclear whether any of the proposals can do so effectively without addressing the existing structures and the underlying legal frameworks that potentially hinder information sharing.

The saga of the public-private partnership reminds me a lot of the Hans Christian Andersen story about tailors who promise the Emperor a new suit so fine that only those who are worthy can see it. As the Emperor pranced through town wearing this "suit," the people responded with such comments as "Oh, how splendid are the Emperor's new clothes. What a magnificent train! How well the clothes fit!" It was only when a young child spoke up, yelling "but he isn't wearing anything at all," that the Emperor and his subjects realized the truth -- there was no suit.

I worry that an effective public-private partnership on cybersecurity may be like the Emperor's suit -- non-existent -- and that, without a voice to set us straight, we may continue to admire a system that isn't possible under today's laws, regulations, and competitive environment.