ARCHIVED 12/9/09

December 9, 2009

To view the original article please click here.


Rob Margetta, Congressional Quarterly, 12/09/2009

For years, cybersecurity experts have expounded on the need for a “public-private” partnership to protect critical infrastructure, financial institutions and other targets of attackers.

But a new report from the Internet Security Alliance suggests the approach thus far has been backward: It should really be a “private-public” partnership. “The public sector is leading the way, where it really should be the private sector that takes the lead,” said ISA President Larry Clinton. The ISA’s report, “Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model,” says the private sector has had little incentive to take on that leadership role.

The report defines cybersecurity not as a technical or tactical problem, but as an economic and strategic one. To bring the private sector to the point of leading, the government needs to switch its focus from regulation to incentives. That means pursuing all of the incentives the government uses in other areas: tying federal funding to compliance, streamlining regulations, creating tax initiatives and liability protections for those meeting government standards, the report said.

Of course, that also would require the federal government to come up with a consolidated list of best standards and practices, Clinton said. “We simply have to apply those initiatives to cybersecurity,” he said. “We need to get these guys involved.”

Clinton called the Troubled Asset Relief Program and other recent government spending initiatives wasted opportunities; that money could have been tied to cybersecurity requirements.  Clinton said the Bush administration took the position that the market would spur companies to make cybersecurity improvements out of self-interest. That didn’t happen, and an effective partnership between industry and the government has been slow to develop, although it has been picking up steam recently, he said.

The report said its purpose is to extend the “dialogue” called for in the White House’s Cyber Space Policy Review, which the report called encouraging.  One challenge of creating a partnership is that private-sector security must work across the board to be effective, Clinton said. Large companies — those that have deep pockets, or handle sensitive government information or play a role in the critical infrastructure — can be brought on board by saying that cybersecurity improvements will boost their security and streamline operations in ways that save money. But for most companies, even those that serve the federal government, the cost of a cyberattack is relatively low, Clinton said. While a large defense contractor would probably have strong cybersecurity procedures in place, its subcontractors, particularly the smaller ones with less to lose, might not.  Because of this, a small company with low security can provide a back door into a larger one with higher security, and cyber-attackers take advantage of this, Clinton said. The solution is to get everyone involved, Clinton said. And there is good news on that front, he said: As much as 80 to 90 percent of the problem can be fixed by implementing standards, practices and strategies that already exist. The trick is to motivate companies to implement them and have an understandable list of standards prepared.

Not every company should have to meet the same standards, he said. A defense contractor that sells desks could receive lower priority than one that makes weaponry. The private sector also has to take action and make cybersecurity part of its corporate business plan, he said. At most companies, individual departments are not responsible for protecting their own data. That task falls to an information-technology department. But data and network defense has to become more deeply ingrained in the fabric of corporations. “That’s got to change,” he said.