Public-private effort on cybersecurity needs a push from Congress

The cooperation of government and the private sector is necessary for security in cyberspace, but it might not be feasible without some regulatory muscle.

A White House report that highlights cybersecurity accomplishments during the 14 months since the release of the Cyberspace Policy Review includes some notable accomplishments. A cybersecurity coordinator has been appointed, a military cyber command has been established, and national strategies for trusted online identities and incident responses have been initiated. Domain Name System Security Extensions protocols are being deployed to help secure the DNS, and the Comprehensive National Cyberspace Initiative is being updated.

One of the biggest challenges remaining in securing the nation’s information infrastructure is ensuring the cooperation of government, which has responsibility for the nation’s defense, with the private sector, which owns and operates the majority of the critical systems.

Related stories:

White House just getting started on cybersecurity

DNSSEC now fully deployed on the Internet root

That challenge has long been recognized. The White House report notes that “government and the private sector are partnering” or “working together” to reduce financial risks from cyber threats, identify and reduce vulnerabilities from new devices such as smart phones, and protect industrial control systems. But despite those efforts, too little progress has been made.

The need to improve the relationship between government and the private sector is a constantly recurring theme in cybersecurity. After years of lip service, information is being shared, but not on a scale or with a speed that is necessary to meet the demands of cyberspace.

The private sector complains that government is unwilling to share intelligence with industry, and industry is unwilling to share with government because of concerns about liability and the possible exposure of proprietary information. As a result, we are still waiting for a real public-private partnership.

President Barack Obama and other government officials reiterated to industry executives at a White House meeting last month that the administration’s approach to cybersecurity would be based on incentives for cooperation rather than on regulation. But some regulatory authority might be necessary to get an effective level of cooperation.

The problem is the conflict between the core interests and responsibilities of the two sectors. It is the government’s job to protect; the private sector’s job is to turn a profit and protect competitive advantages. Those two roles do not conflict so much in the real world, where government can defend its borders and leave industry mostly free to operate. But in cyberspace, the absence of easily defensible borders means we’re all in the fight together.

In the end, the private sector will likely need to accept some meaningful government regulation on cybersecurity, establishing standards of practice and baselines of security that can be enforced. The alternatives are to accept the status quo with large gaps in cyber defenses or turn control of cybersecurity entirely over to the government.

No one is satisfied with the status quo, and the specter of the National Security Agency or the Cyber Command assuming control of the nation’s critical infrastructure raises serious concerns about civil liberties and privacy. The sensible course is a reasonable set of regulatory standards that define the rights and responsibilities of each side in a public-private partnership, ensuring that government and industry each hold up their ends of the bargain and provide the information that the other needs.

Voluntary incentives are fine, but some baseline of compliance is necessary.