August 30, 2021

This week the House Homeland Security Cyber Subcommittee will hold a hearing on one of the hottest legislative topics in the field entitled “Stakeholder Perspectives on the Cyber Incident Reporting for Critical Infrastructure Act of 2021” The witnesses will include representatives from IT, Telecommunications, and financial services industries -– all major players in the so-called, public private partnership for cybersecurity. But the hearing is for the ‘stake-holder’s perspective. Huh????

This raises an important question. Is there a difference between being a partner, and a stakeholder?

Spoiler alert: there is.

For example, take McDonald’s, for Mickey-D’s, the stakeholders are you and me, the guys who buy (or used to buy) Big Macs. Does McDonalds care about me? Sure, a little. If I don’t like the price increase on a Big Mac do, they care? Not really. In fact, even if I stop buying Big Macs (and I have) do they really care? Not really – there are plenty of stakeholders to go around. McDonalds doesn’t need their stakeholders.

Their partners, on the other hand, are the entities they need. The firms who supply the meat, the buns, provide the transportation in those big trucks, and of course handle the money. The partners are the entities McDonald’s can’t survive without. McDonalds and all similar sophisticated private entities spend a lot of time cultivating their partners because they know how critical they are to their own survival. They listen with open ears to the constraints and unique needs their partners have and make sincere efforts to work with them. Even with a firm like McDonalds there is very little my way or the highway with their critical partners. To create a secure cyberspace government needs the private sector as partners – not stakeholders.

Maybe a big reason the public private partnership isn’t working as well as we all need it to work, is because government doesn’t really think of the private sector as partners, and more importantly doesn’t treat them as partners.

Being stakeholder is really a uni-directional situation. McDonald’s just wants to sell it burgers to the stakeholder. The stakeholder isn’t involved at all in the critical decisions that effect Micky D. The partners are very much involved.

A partnership is a more egalitarian exchange relationship. For example, a good marriage is a partnership. The spouses, being individuals, have different backgrounds and perspectives but they work with each other to find common ground. Failed marriages are often the ones wherein one “partner” presumes his or her (ok, ok, mostly his) views need to dominate. Typically accompanies=d by strenuous insistence that his needs are best for both. This tends to lead to suspicion, recalcitrance, minimalistic collaboration and eventually failure.

That sounds a lot like the current (actual) relationship between the public and private sectors

In a successful marriage (or business partnership) there is a sincere effort to understand the other’s perspective and if one partner needs something from the other there is a sincere effort to make an equivalent accommodation in the other direction. In a really good relationship, the insistent partner says something like –“ let’s give my idea a try and see if it works out – if not, we will do it your way”

So, lets go back to Wednesday’s hearing on the stakeholders’ perspectives on the mandatory reporting that some in Congress are demanding, if we were to assume the private entities were willing to sincerely comply with this directive– what is the equivalent concession government will make? What is the Return on Investment, or in this case Return on Reporting?

If an attacked company is willing to report a qualified cyber incident in 24 hours detailing the attack and its causes, is government willing to produce a report for the rest of industry in 24 hours that details how similar attacks on other entities can be prevented? Will government pledge to go after the attacker and recover ransom or stolen property in, let’s say 10 days – the amount of time it took the FBI to recover half the Colonial ransom? Will government commit to provide the funding to assure all cybercrime victims get the Colonial treatment?

If not these commitments, what is government willing to do to provide some return on the investment it is demanding? Is government for example willing to say “let’s try this our way for a while and see if it works” which would mean a commitment to systematic evaluation in terms of pre-set objectives of the initiative – a process that is common for most sophisticated companies who engage agile management practices.

Functional partnerships are based on sincere understanding of each partner’s perspectives. This begins with not assuming your partner’s good faith. Without that the partnership is doomed to failure. Good partnerships also include a good faith exchange of duties in recognition of the partner’s willingness to make accommodations sought by the other and realistic goals that if not met would result in trying another way.

If Wednesday’s hearing got into some of these deeper and more meaningful issues it would be an extremely productive event.