Forging a public-private partnership for cybersecurity

Consumers, government and private companies have grown increasingly reliant on cyberspace to manage projects, reach potential clients, serve their constituents and disseminate mission-critical information.

Unfortunately, cyber threats have more than kept pace and, according to McAfee’s 2013 Threat Predictions report , this year will an even more sophisticated assault on businesses, private citizens, and government organizations.

Former Secretary of Defense Leon Panetta warned government and business leaders to be prepared for an escalation of cyber attacks. Rather than simply being prepared for a disruption in an organization’s activities in cyberspace through denial of access regimes, leaders need to develop strategies to handle destructive behavior that could cripple systems or corrupt data.

There has been no shortage of recommendations to address this growing concern because of the immense value of the information shared on secured networks and systems.

Private sector companies have a financial and competitive incentive to safeguard their intellectual property to ensure novel innovations are brought to market. Public sector entities must safeguard sensitive information – including intelligence reports, citizens’ personal information and financial data, and national security information – to keep it secure and protected from those who wish to harm our people and our economy.

A Shared Purpose

Despite numerous proposals, progress on establishing an effective system to safeguard cyberspace has provided mixed results.  Shared goals have yet to give way to a collaborative dialogue that yields a security framework with which all organizations, both public and private, can agree.

A rare opportunity exists today to forge public-private partnerships on cybersecurity solutions that benefit all. This will only be possible, however, if public and private entities can agree on a set of objectives focused on information sharing and risk mitigation strategies while taking privacy concerns into account.

Information sharing is an avenue the public sector is pursuing to encourage the participation of private sector companies in developing and pursuing their own internal cybersecurity programs.

For example, the executive branch provides comprehensive information on emerging threats and trends in industry-specific briefing sessions.  And lately, Congress appears to be redirecting its cybersecurity energies from prescriptive compliance programs towards legislation that promotes the adoption of best practices in cybersecurity by both private sector and public sector entities. This type of legislation rewards companies that have invested in forward-leaning security efforts and established a benchmark for others to follow.

Maturity Models – The Path Forward

Maturity models may be one avenue to forge a public-private partnership for critical infrastructure- related companies.  These models are a good way to measure progress against established benchmarks and are forward-looking. Maturity models recognize compliance is a journey, and cannot be achieved overnight or with a single product or tool.

The models also recognize that not all infrastructure or applications must meet the maximum security levels immediately, but progress strengthens the organization and overall security environment. Moreover, the actual process used to develop the model facilitates meaningful information exchange and dialogue necessary to develop a framework for cybersecurity.

Recently, the departments of Energy  and Homeland Security partnered with dozens of energy companies to develop a comprehensive maturity model, designed to identify and combat threats in that industry.

Through this working relationship, the energy industry shared information about what risks it is facing, and the government shared data on emerging threats that could exploit weaknesses or exacerbate threats. Together, they provided a framework for the energy sector that enables companies to assess their own situation, resources, consequences and planning.  This partnership demonstrates great promise for the future and shows that public-private partnerships can work and can produce desired, and mutually beneficial, outcomes.

Using the DOE model as an example, other sectors can adapt the maturity model to fit their needs, evaluating how much of the existing model fits their requirements and what actions need to be taken. While specific issues like supply chain management may vary from industry to industry and entity to entity, issues like identity management are universal and affect all consumers, both public and private.

The protection of intellectual property is directly tied to innovation, market share, and research and development, all of which affect the economy.  Maturity models increase awareness, enable action and are integral to the protection of intellectual property as well as sensitive data.  When industry and the public sector are able to access and receive timely, actionable information, better solutions emerge.

The time to act is now.