Attached is Part II of ISA’s series “A Once in a Lifetime Opportunity for Government to Get Cybersecurity Right”
A ONCE IN A LIFETIME OPPORTUNITY TO GET GOVERNMENT RIGHT ON CYBERSECURITY
PART II THE MISSED OPPORTUNITY: THE FANTASY OF THE PUBLIC PRIVATE PARTNERSHIP
In last week’s post we summarized the ongoing failure of US cybersecurity policy to create a sustainably secure cyber system. We specifically noted that:
· Cyber-attacks are generating trillions of dollars in economic damage annually – a number that is growing rapidly.
· We are successfully prosecuting less than 1% of cyber criminals – a percentage that is going down.
· Our major adversaries – China but not just China – have developed far more sophisticated and effective digital strategies with the goal of upending the US/West leaning post WW II world order
· Our adversaries have even succeeded in compromising our higher education system so that our best US computer science programs are now mostly training Chinese students who will shortly be leading the attacks on US critical infrastructure.
Notwithstanding controversy about many areas of the current government reform efforts, there can be no doubt that our cybersecurity polices and apparatus need to be substantially re-thought and reformed, and this needs to begin to happen ASAP.
Today we will turn to one of the most obvious fundamental failures, the fantasy of a public private partnership. We will also suggest how the partnership can begin to be revitalized through the reauthorization, and modernaization of the 2015 CISA legislation this year.
THE FICTION OF A PUBLIC PRIVATE PARTNERSHIP
STAKEHOLDER OR PARTNER?
The public private partnership has largely been a rhetorical fiction, an illusion. It is mostly a trope government officials trot out regularly for 25 years with little if any menaing.
With rare exceptions (e.g. the development of the NIST Framework and some unique sectors) the public private partnership has never worked. The main reason for this failure is that government has never bought into the notion of the private sector as a true partner.
To virtually all of government the private sector is a “stakeholder” not a partner. To illustrate the difference between stakeholder and partner, consider TikTok. For TikTok, the communication industry is a partner, an entity they work with on common goals and mutual benefit. TikTok’s short videos of cutesy dances etc. bring millions of eyeballs to the network providers who can monetize them earning millions of dollars to be divided with the true partners. The folks who post the cutesy dances are stakeholders to TikTok. Are the teenage dancers important to TikTok? yes! Are they partners? No.
The dominant view of government toward the private sector in cybersecurity is we are the cutesy dancers; we are not real partners.
THE MISSED OPPORTUNITY THE FAILURE OF THE “NIPP”
This wasn’t the original plan. The Homeland Security era in the United States was born in the wake of the stunning attacks on the World Trade Center in New York, the Pentagon and the attempted attack on the White House which was thwarted by private citizens who downed another compromised aircraft in Pennsylvania on September 11,2001 –forever after known simply as 9/11.
The atmosphere of that moment was one of unity and collective defense along with a realization that the notion of national defense as a function reserved to the traditional military needed to be re-thought. When the Department of Homeland Security was subsequently created there was a collaborative structure also created in the National Infrastructure Protection Plan, or NIPP.
The NIPP called for each critical industry sector to create a Sector Coordinating Council (SCC) which would be mirrored by a corresponding Government Coordinating Council (GCC) — subsequently re-named Sector Risk Management Agencies). The idea was that since the vast majority of US critical infrastructure was owned and operated by the private sector, the homeland defense would naturally need to include the perspective of the operators who would collaborate in a new partnership with the government councils.
The NIPP did more than just establish a structure. It articulated the critical risk management rational as to why this strucure why was needed. The NIPP noted that the public and private sector, appropriately, access risk from aligned but differing perspectives. The private sector is required to maximize share-holder value and so managing risk is largely a commercial issue addressing the economic question, how much security do I need to buy to remain profitable?
The NIPP pointed out that while government has economic imperatives, they also have larger issues such as national security, privacy, and maintenance of the social safety net. As a result, the government is less risk tolerant than the commercial sectors. Moreover, the government is unencumbered by economic constraints of profitability.
The problem the NIPP attempted to address is that both government and industry use the same internet, most of which is owned by the private sector with the more risk tolerant commercial commercial sectors. The NIPP was designed to find a way for the private sector to increase its investment in security to the government’s required national security level in the face of nation-state attacks, while keeping the critical infrastructure providers viable. To achieve this, cyber security programs, such as setting minimum standards, sharing information or incident response would need to accommodate both the security needs of government and the economic imperatives of the private sector partners.
As with any new structure there were growing pains, but there were early efforts to operationalize the collaborative structure. In fact, inn 2006 and 2008 the Journal of Strategic Security published a series of articles on studies done by DHS in collaboration with the IT and Communication Sector Coordinating Councils. The studies showed that both government and industry players found programs operated in a more collaborative model – equal representation on committees, joint chairmanship and starting projects with a “blank paper’’ where industry and government would together define goals and objectives — were more successful and satisfying for both industry and government.
Although there were repeated efforts to get DHS to adopt the principles and practices the joint studies had documented, the bureaucratic resistance from DHS was unassailable. Over time the notion of an egalitarian partnership increasingly faded as government retreated to the “stakeholder” model. Instead of using the designated entities created by the NIPP and populated by a representative selected by industry, government opted to select favored individual companies they would use as their private sector proxies.
Government occasionally asked for public comments from industry, but industry did not have a seat at the table as a true partner would, and government retained unitary perspective in developing cyber policy. By the time the Biden Administration released their National Cyber Strategy Implementation Plan in 2023, there was no mention of the Sector Coordinating Councils at all.
As the motion of a true industry-governmetn partnership continued to fade, the US cybersecurity posture grew worse and worse by virtually every important metric.
THERE CAN BE — HAVE BEEN — SUCCESSFUL PUBLIC PRIVATE PARTNERSHIPS
Although the public private partnership with respect to cybersecurity outlined in the NIPP has not yet been realized, there are numerous precedents for similar government industry partnerships successfully operating.
Starting in the early 20th century the public utility model created a partnership between the early phone and electric companies to provide universal service of these critical services. The original phone and power companies operated in the traditional model of providing service where it made economic sense. However, the visionary policy makers of the day struck an economic deal with the private companies. The companies agreed to provide universal service of these critical services, including uneconomic areas, at regulated and affordable rates. In return the government guaranteed the rate of return on the company’s corporate bonds which essentially created the privately owned public utility model.
This creative public private partnership was largely responsible for the accelerated diffusion of critical power and communications systems across the growing country and helped usher the US from a non-player on the world stage at the beginning of the century into the difference maker in WWI and the dominant world power by the end of WWII.
In the 1960s the government created a completely new entity the National Aeronautics and Space Administration (NASA) which broke traditional models of government industry collaboration and enabled the US to catch and then pass the USSR in the race to land a man on the moon.
In the 1980s Japan surged to an early lead in the development of the then novel field of computer chips. Again, the US responded with a new creative model called SEMA-Tech that brought together and funded a unique coalition of industry, academic and government specialists who again helped the US catch and then surpass our Asian competitors in this vital industry.
Most recently the government responded to the global COVID-19 Pandemic by using economic incentives to turbo-charge a competitive effort from the pharmaceutical industry to develop effective vaccines at a pace far faster than the traditional timeline for such work.
In each of these examples government, in varrying ways, altered the traditional relationship with industry and developed creative and effective partnerships to address critical national interests. The same can be done – must be done – to address our cybersecurity threat.
REINVIGORATING THE PARTNERSHIP BY UPDATING CISA FOR SYSTEMIC RISK
The best way to assure that cybersecurity policy is developed in a true partnership mode – and thus create more effective cyber policy — is to write in into the statute itself. In fact the recent Supreme Court decision, Loper v Bright, states clearly that courts will look to the statutory authority, not potentially vague “expert intrastation” of regulators, in determining how laws will be interpreted.
Th 2015 Cybersecurity Information Sharing Act which needs to be reauthorized and updated this year would be an excellent vehicle for this clarification.The CISA legislation, (the government agency that used the same acronym came years later) altered the model for industry government interaction on cybersecurity by creating a liability incentive (not traditional regulation) to enhance information sharing between industry and government.
In updating the statute this year Congress should take note of the expanded systemic cyber threat picture created by the market dominance of certain private sector product elements in the cyber eco-system. The CrowdStrike incident of 2024 illustrated how the compromise of one such element in the system, ether through attack (e.g. Solar Winds) or accident such as CrowdStrike, can create havoc throughout the system.
The reauthorized CISA should mandate that products holding massive market share (some core products in the cyber eco-system hold 70-100% market share) report this dominance to their Sector Risk Management Agency (SRMA). The company and the SRMA would be required to work collaboratively to better secure that element. In return, the company would receive liability protection and cost recovery for the update. Organizations with products having lessor, but potentially problematic, market share and systemic risk, would have the option to voluntarily report to the agency and work with government to better secure their product in return for similar liability and cost incentives.
Such an update of the 2015 CISA law would simultaneously increase our nation’s security against systemic cyber risk and strengthen the link between public and private sectors to create a more sustainably secure cyber system.
