Introduction by ISA President Larry Clinton
Biden Administration’s National Cybersecurity Strategy (NCS) rightfully “recognizes that robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace.”
Unfortunately, this “essential” goal is undermined in the very same document. Alongside announcing plans to scale public-private partnerships, the Biden Administration also proposes a number of new cybersecurity regulations based on the traditional checklist/compliance model. The adversarial nature of the compliance/penalty culture is counterproductive to the sorts of collaborative partnership that the NCS argues is imperative in creating a sustainable collective defense model.
The former director of the Cybersecurity and Infrastructure Security Agency, Christopher Krebs, put this concept succinctly: “Protecting privacy is at the cornerstone of everything we do as an agency that depends entirely on maintaining the trust necessary to work with industry through our voluntary programs.” Krebs’s view was echoed in the 2020 study by Atkins and Lawson: “For their part government officials lament that mandates encourage a ‘compliance mentality’ among firms leading to minimalist approaches rather than a concerted effort to secure their systems, cooperate with other firms in their industry or collaborate intensively with federal authorities.”
The compliance/penalty culture, which is an inherent part of the regulatory structure proposed by the NCS, is especially problematic in cybersecurity. The mindset of the regulator tends to be like a parent who feels they must discipline their unruly, industry child. In cases of actual criminal or fraudulent behavior, this is appropriate.
In instances such as the Enron, WorldCom, and Volkswagen scandals, regulators stand in for consumers and protect them from malfeasant corporations—as they should. However, in today’s cybersecurity environment, the opponents are not mainly corporate cheats but rather vast criminal syndicates and increasingly nation-states and their surrogates that are stealing and corrupting personal data, corporate intellectual property, and national secrets. Even the new Biden Administration cybersecurity strategy acknowledges that given the state of modern cyber attacks only the largest and most sophisticated companies are capable of fending off the attackers. Yet the Administration continues to also advocate for ever more stringent cybersecurity regulations on virtually all organizations—which as we have documented in previous blogs don’t work. (Link, Link)
The reality, often articulated but rarely implemented, is that government, consumers, and industry are actually on the same side.
The importance of strengthening public-private partnerships in cybersecurity has been emphasized by numerous top Biden officials. In fact, the very core of the NCS’s approach is the understanding that “deep and enduring collaboration between stakeholders across our digital ecosystem will be the foundation upon which we make it more inherently defensible, resilient, and aligned with U.S. values.”
As Acting National Cyber Director Kemba Walden said: “We need to step up and work together, shoulder-to-shoulder.” It is time to adopt a new paradigm that moves away from the traditional adversarial regulatory model that is hindering our public-private partnership goals.
So the rhetoric about public private partnerships is there – it has been there for 20 years – what has been lacking is the follow through by the agencies empowered with regulating the private sector. The SEC’s latest sweeping regulations on virtually all publicly traded companies are just one of the latest examples of how the actuality doesn’t follow the rhetoric.
Of course regulated entities are going to be regulated but the traditional model not only fails to enhance security it wastes scarce cybersecurity resources and alienates the veery entities our nation needs to relay on to provide critical services and protect our infrastructure.
In futures posts we will outline a different model.