“It has been 10 years since the first national consensus emerged in
the United States that more needed to be done to protect the national
computer and communications infrastructure,” NSS noted in a report.
“Yet,” it continued, “we are still struggling to find and enable the
right level of public/private cooperation and responsibility assignment
to protect the nation’s critical infrastructure, much of which is owned
and operated by the private sector.”
While acknowledging progress on information sharing in the financial
services and defense industries, the report said much still needs to be
done to enable near real-time situational awareness across the nation’s
critical infrastructure and to fully leverage U.S. government cyber
intelligence capabilities for better protection.
The report found:
- Public and private sector actors often approach cybersecurity from
different perspectives: government typically thinks in terms of worst-case scenarios, while the private sector thinks in terms of most likely outcomes.
- Private-sector participants require information that is specific,
timely and actionable. Data provided by government sources can be
generic, stale, heavily redacted or potentially classified.
- Liability concerns continue to retard broader public/private information sharing.
- Machine-to-machine cybersecurity information sharing is currently supported in only limited cases.
Although sharing implies transactions between equals, that’s not the
case with cybersecurity information, largely because public and private
organizations have different wants and needs, and the government has the
upper hand in getting what it wants.
“The whole goal of the private sector is to protect their
intellectual property and the brand of their company,” an author of the
report, NSS Research Vice President Ken Baylor, said in an interview.
“That’s all they want to do.
“What the government wants to do is standardize how the private
sector responds to cyber threats and make sure they respond well,” he
continued, “and that it’s also a source of intelligence and information
“What the private sector is absolutely terrified of is that the
government will come in with a bunch of overreaching regulations that
require them to do a bunch of things that aren’t relevant to them,
burdensome and of no value,” he added.
A better understanding by government and industry of the relationship
between security and compliance is important, added Phyllis Schneck,
vice president and chief technology officer for the global public sector
at McAfee. “A lot of dialog and collaboration is needed on how do we
foster creative innovation to get the best security and not just
compliance,” she said in an interview.
“If you follow a series of regulations, you’ll check off a series of
boxes, and you’ll get great compliance, but you won’t necessarily be
secure,” she added. “Regulations move too slowly to protect against how
quickly our adversaries are attacking us.”
Public-private sharing is also imbalanced because not only does the
government have the power to compel information from the private sector,
but it also maintains a hoard of classified information that it can’t
or won’t share. “It’s a meeting of non-equals,” Baylor said.
Public and private perspectives on cyber threats can also produce
snags in sharing. “The public sector sees everything as a threat,” Shane
Shook, chief knowledge officer and global vice president of consulting
at Cylance, said in an interview. “Whereas, the private sector
differentiates between threats that affect their business and risks
they’re constantly being bombarded with, whether it be DDoS attacks,
malware, script kiddies or hacktivists.
“The private sector takes the time to differentiate between threats
and risks, while the public sector doesn’t do that,” he said. “It has a
different kind of risk tolerance. It can’t afford to ignore any kind of