Public, Private Sectors Partner on Security

Tuesday, March 8, 2011 @ 02:03 PM gHale

When talking about teamwork the saying “the whole is greater than the sum of the parts” always rings true. No one entity can lead to victory, but everyone working together as a team will win.

The same is true when talking about protecting the networked world. No one entity will prevail, but rather having the government and private sector work together has a greater chance of protecting the critical infrastructure against any threat.

The problem is the complexity and interconnected nature of the Internet, and the ever‐evolving and sophisticated threat environment, put cyber security beyond the reach of any single entity. That means to secure the critical infrastructure, companies must work together, government must coordinate its efforts, and industry and government must collaborate.

That is why the Business Software Alliance, the Center for Democracy and Technology, the Internet Security Alliance, TechAmerica, and the U.S. Chamber of Commerce today released a white paper that focuses on cyber security of our critical infrastructure.

“Typically, coalitions of this size can only come to agreement on very broad principles,” said ISA President Larry Clinton. “When it comes to enhancing our nation’s cyber security we understand that the devil is in the details. That’s why we have worked over the past six months to hammer out very specific policy positions that can be embraced by both Internet providers and Internet customers in a way that protects our national security, our economy and our civil liberties. The vast majority of both the equipment that makes up the Internet system as well as the expertise that manages it resides in private hands.”

To that end, government and industry organizations have made investments over the years to develop a strong public‐private partnership. While those investments are paying off, as it is most things with security, it remains a moving target. That is why the coalition said more effort needs to go into building on work accomplished and then finding a way to move forward.

Recommendations put forward include:

Risk Management:

  • Standards: Government and industry should utilize existing international standards and work through consensus bodies to develop and strengthen international standards for cyber security.
  • Assessing Risk: Government and industry need to recognize their risk management perspectives stem from different roles and responsibilities. Where government demands a higher standard of care, market incentives need to be available to accommodate non‐commercial needs for security.
  • Incentives: Government and industry must develop a menu of market incentives to motivate companies to voluntarily upgrade their cyber security. The incentives must be powerful enough to affect behavior without being so burdensome as to curtail U.S. investment, innovation, and job creation.

Incident Management: Government should fully establish industry’s seat in the integrated watch center and begin evaluation and process for growing industry’s presence. Industry should ensure a long‐term plan for filling the watch center seats; and participants should report lessons learned from collaborative exercises as soon as possible and undertake improvement measures on a timely basis.

Information Sharing and Privacy: Government and industry should clearly articulate information needs and how to promote more effective information‐sharing to address those needs; information‐sharing for cyber security purposes should be transparent and should comply with fair information practice principles; government should consider how it can share more classified and sensitive information, particularly the parts of that information that can help the private sector defend its systems; and in consultation with interested parties, including industry and civil liberties organizations, Congress should consider whether we need narrow adjustments to surveillance laws for cyber security purposes.

International Engagement: Industry and government need to engage international organizations and standards — making processes and work together to develop a strategy for engagement, capacity building, and collaboration on issues of global concern.

Supply Chain Security: Government should expand its participation in the international system that develops supply chain security standards and work with industry to identify and disseminate them. Government should then leverage these standards when it acquires technology and take steps to ensure it does not acquire counterfeit technology products.

Innovation and Research and Development: The public‐private partnership should create a genuine National Cyber Security Research and Development Plan with prioritized, national‐level objectives and a detailed road map that specifies the respective roles of each partner. The plan and its implementation road map should undergo regular review by the partners and adjusted as necessary.

Education and Awareness: The public‐private partnership should enhance cyber security public awareness and education, and increase the number of cyber‐professionals available to government and business, including through policies that boost the number of science, technology, engineering, and mathematics (STEM) college students graduating each year.

For more information, click here to download the white paper.

Leave a Reply

You must be logged in to post a comment.