Shortly after taking office in 2009, President Barack Obama called for a comprehensive review of the nation’s approach to combating cyber threats. The president said,
The federal government cannot succeed in securing cyber space if it works in isolation. The public and private sectors interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government depend…Only through such partnerships will the United States be able to enhance cybersecurity and reap the full benefits of the digital revolution.
This essay is an attempt to review the nation’s approach to combating cyber threats and how “best practices” for public-private partnerships may help ameliorate—to some degree—growing cyber threats. The first section describes a brief history of the evolution of cyber-focused public-private partnerships, followed by a discussion of case studies in how such partnerships have demonstrated effective results in enhancing cybersecurity through a robust assessment process. It concludes with twelve best practices generated by that analysis for more effective management of cyber-partnership activities. Ideally, partnerships would continue to evolve to share leadership, appreciate differing perspectives, and develop shared goals and priorities. The digital economy increasingly requires this kind of collaborative environment to continue to flourish, encouraged by the meaningful cybersecurity accomplishments of public-private partnerships.
A BRIEF HISTORY OF THE PUBLIC-PRIVATE PARTNERSHIP FOR CYBERSECURITY
When the first National Strategy to Secure Cyberspace was written in 2003, the mutually shared nature of the Internet led to the proposition that cyberspace would best be secured through a partnership of mutual benefit. It was assumed that industry’s natural interest would lead it to develop adequate technologies and practices to secure the expanding cyber systems.
Government’s role was initially thought to be primarily securing its own systems. With respect to the private sector, government’s role was largely confined to education, international coordination, and assisting with research and development. Market efficiency was assumed to be sufficient to drive adoption of adequate protective measures.
By the time the first National Infrastructure Protection Plan (known as the NIPP) was written in 2006 and updated in 2013, a more sophisticated understanding of digital economics made it apparent that the public and private sectors had “aligned, but not identical, interests” with respect to cybersecurity.
Experience demonstrated that commercial security levels were generally lower than those required for national security and other governmental purposes. The NIPP clarified that a voluntary partnership model that could respond to the quickly changing cyber environment was in the nation’s national and homeland security interests. However, for this voluntary model to succeed, government would need to do more than just rely on naked market forces or traditional regulation to prompt the private sector to elevate its security spending to meet national security needs. The updated NIPP articulated the notion that, to create a sustainably secure cyber system, government could not rely on the private sector to continually make substantial investments that were commercially uneconomic.
Instead, an incentive system similar to those used to achieve social needs in sectors such as agriculture, environment, transportation, and others would have to be evolved and applied to the cybersecurity partnership:
The success of the partnership depends on articulating the mutual benefits to government and private sector partners. While articulating the value proposition to the government typically is clear, it is often more difficult to articulate the direct benefits of participation for the private sector…In assessing the value proposition for the private sector…government can encourage industry to go beyond efforts already justified by their corporate business needs to assist in broad-scale CI/KR [critical infrastructure/key resource] protection through activities such as…supporting incentives for companies to voluntarily adopt widely accepted security practices.
There were periodic efforts to redefine the partnership model to secure cyberspace in such a way as to mimic the traditional government-industry regulatory model. The most prominent of these efforts was legislation, which combined efforts of the Senate Homeland Security and Commerce committees in 2012. This combined bill, drafted under the auspices of Senate majority leader Harry Reid and generally referred to as Lieberman-Collins, would have empowered the Department of Homeland Security to set cybersecurity
mandates for large portions of the private sector and grant DHS compliance authority backed by substantial penalties for noncompliance. It defined this new partnership in the following way:
This bill creates a dynamic partnership between government and the private sector in which the private sector is responsible for enhancing security of the nation’s most critical infrastructure while the government ensures effective oversight and compliance.
Not surprisingly, industry found this construction of the partnership somewhat strained.
The idea that the private sector would fund national defense needs, including defending against potential nation-state attacks against critical infrastructure, was both naive and impractical. Busch and Austen Givens pointed out in one of the few academic analyses of public-private partnerships, “Any business executive who suddenly announced he was increasing security spending by 25 percent for the good of the nation would almost certainly be fired.”
This is not to say that industry is unwilling to spend on cybersecurity. In fact, industry spending on cybersecurity has more than doubled in recent years and is now over $100 billion a year.8 By comparison, DHS spending on cybersecurity is just over $1 billion annually and total federal government spending is under $15 billion.
In addition to the financial issues that undermine the attempt to define a traditional regulatory approach as a partnership, there were numerous other reasons why the regulatory approach to cybersecurity was ill founded, which have been detailed elsewhere.10 These include the generally unfounded assumption that the primary reason for successful cyberattacks is corporate malfeasance by underfunding security as opposed to the inherent weakness in the technology and the sophistication of the attackers. There has also been notable lack of success for the regulatory approaches that have been tried in this area, such as HIPPA (healthcare) and Gramm-Leech-Bliley (financial services), and the enormous negative economic impact that imposing a government-centric regulatory regime would have on goals as desirable as security such as innovation, economic growth, and job creation.11 As a result of all these problems and despite holding a strong majority in the Senate, the Lieberman-Collins bill couldn’t drum up enough support even to make it to the floor.
Following the collapse of the regulatory effort to impose cybersecurity mandates on critical infrastructure, President Obama issued ExecutiveOrder 13636 in February 2013, which was accompanied by Presidential Decision Directive 25. Both documents embraced the voluntary model of industry-government partnership for cybersecurity and more fully defines several of the elements that would be necessary for it to succeed. The president’s executive order largely followed the “Cybersecurity Social Contract” paradigm that had been proposed by a coalition of industry and privacy groups.
This renewed and more fully articulated partnership model called for industry to work collectively with government through the National Institute of Standards and Technology to identify industry-based standards and practices worthy of voluntary adoption by critical infrastructure owners and operators. This framework was to be voluntary, scalable, cost effective, and prioritized. The administration pledged not to seek additional regulatory powers for cybersecurity and to promote voluntary adoption of the targeted standards and practices through the deployment of market incentives. In a rare case of bipartisanship, the social contract model was also embraced by the House GOP Task Force on cybersecurity that had been appointed by Speaker of the House John Boehner. By 2015 there had been such a consensus developed that cybersecurity would best be addressed through a voluntary industry-government partnership process that independent assessors were reporting that it was difficult to find anyone in the nation’s capital who disagreed with the wisdom of the voluntary partnership model.
HOW TO MAKE PUBLIC-PRIVATE PARTNERSHIPS FOR CYBERSECURITY WORK: CASE STUDIES
Realizing that frustration with the partnership model was building in 2011, the IT Sector Coordinating Council wrote to DHS undersecretary Rand Beers and requested that DHS join with the IT SCC in a process to develop a set of collaborative guidelines for operating effective partnerships for cybersecurity. Working together, the Government Coordinating Council for IT and the industry sector coordinating council devised a three-step program using an adaption of critical-incident methodology.
First, leaders from the SCC and GCC would select a sample of six programs that had sought to use the partnership as spelled out in the NIPP. Second, since it was understood that government and industry could look at the same program and come to different conclusions as to its effectiveness, the GCC and SCC were asked to independently analyze the programs by accessing planning documents and interviewing key participants.
The goals of the interviews were to assess the participant’s judgment as to whether the programs were successful or unsuccessful in meeting their goals and to identify characteristics of the program that would explain why the programs were labeled as successful or unsuccessful. Finally, the independent GCC and SCC leadership teams jointly analyzed all the results from step two and attempted to identify common elements that were used in successful and unsuccessful programs. Both government and industry
independently agreed which programs fit into the successful and less successful categories and were able to identify a dozen “best practices” that were found to have been commonly used in the successful projects and not
in the less successful ones. The results of the study were presented at the annual 2012 IT/Comms Government-Industry “Quad” conference in 2012. A summary of this analysis and its results follows.
A PARTNERSHIP SUCCESS STORY: THE 2006 NATIONAL
INFRASTRUCTURE PROTECTION PLAN
Development of the 2006 NIPP was the result of a collaborative process that reflected multiple rounds of stakeholder review and comment during which the department received thousands of individual comments. The
private sector was given the opportunity to participate in the NIPP 2006 drafting process and reported that DHS made a genuine effort to include them in its development. The final 2006 NIPP recognized that partnership is the appropriate model for coordination between industry and DHS. In
addition, existing cross-sector organizations or their predecessors (like the Partnership for Critical Infrastructure Security) participated and provided a valuable cross-sector viewpoint to the 2006 NIPP. Both the government and
industry leadership teams agreed that the process used to create the 2006 NIPP was an example of partnership success.
What Was Successful and Unsuccessful in This Effort
Early involvement by industry in the 2006 NIPP development was judged to be a key to a successful product. The opportunity for industry to provide inputs as the document was being developed was judged by both DHS and the IT SCC as fundamental to the success of the final document. Among the characteristics praised by both industry and the government were the following:
- Codrafting: Reflection of private-sector comments in the final language demonstrated that DHS respected and was listening to its partner.
- Personal commitment by DHS: DHS assistant secretary for
Infrastructure Protection, Robert Stephan, owned the NIPP 2006 process and was committed to partnership with all the stakeholders, including the critical infrastructures, in drafting it. He frequently showed his engagement and leadership by engaging directly in draft language–related discussions with stakeholder groups in calls or in person.
- Personal commitment by industry: The leaders of industry’s sector coordinating councils and information sharing and analysis centers and other bodies were equally engaged.