It is generally understood that the public and private sectors need to collaborate to address the nation’s cybersecurity challenges, yet there remain significant questions regarding the circumstances, nature, and scope of those relationships. Legal, strategic, and pragmatic obstacles often impede effective public-private sector cooperation, which are compounded by regulatory and civil liability risks. Different government agencies have competing roles and interests, with the government serving dual roles as both partner and enforcer, influencing how companies facing cyber threats view public authority. These domestic cybersecurity challenges are complicated further by cross- border issues, including inconsistent laws and perspectives regarding, in particular, privacy norms and restrictions, data transferability, and divergent political interests in combating cyber threats.
A welter of issues involving technology, business, law, and policy affect the strategic cybersecurity relationship between the government and the private sector. And many of those issues are evolving and unclear. Because cybersecurity’s challenges are multifaceted, traditional modalities of interaction between government and private sector— between regulators and regulated—do not always capture the nuanced ways in which the nature of the cybersecurity challenge has fundamentally altered these relationships.
In an effort to better understand and, hopefully, help address the challenges of institutionalizing effective cooperation, this paper will explore four key areas that should be clarified as a necessary step in adopting a strategic approach to cybersecurity:
- Why is cybersecurity different from other threats, and why is public/private collaboration uniquely valuable to address cybersecurity challenges?
- What barriers—including, for example, the evolving regulatory and civil litigation landscape, and cross-border challenges—impede e ective cybersecurity collaboration, and themselves generate additional layers of uncertainty and cost for institutional victims of cyber attacks?
- In light of those barriers, and available private-sector resources, should companies focus on self-help for addressing cybersecurity issues? When and to what extent can companies more effectively combat cyber threats without government assistance?
- What methods of public-private sector collaboration have been more successful than the traditional models of governance, and what roles can, and should, different parts of the government play in a comprehensive cybersecurity strategy?
While the problems are difficult, the answers may, in some respects, be astounding in their simplicity—solutions grounded in basic principles of organizational communication, teamwork, trust and relationship building, accountability, and foresight to prepare for and invest in mitigating risk before disaster strikes. These approaches are critically important and readily attainable, for those within industry and government who are willing to invest time, thought, and resources proactively, to avoid the far greater costs of an ill-prepared cyber response strategy.
Yet, in other ways, the challenges to effective cybersecurity solutions are confounding. The technology is often complex and constantly evolving, the vulnerabilities are vast and elusive, and the laws are fragmented and unclear. Perhaps the greatest challenges emerge from the significant, sometimes competing, domestic and foreign policy consequences impacting both government and business that ow from any proposed policy or legal response. These issues emerge at the intersection of technology, risk management, business, law, and strategy; successfully navigating them requires a sophisticated understanding of each of those diverse areas.
Government and industry bring a diverse range of resources, priorities, and perspectives to these issues that can sometimes compete. But, at a strategic level, they often are fundamentally aligned in their shared desire to develop effective strategic solutions to cybersecurity challenges.The key is determining how best to maximize the collective resources of business and government at that point of alignment.
Ultimately, the short answer is that no single actor (or group of actors) can figure it out alone. A strategic cyber- security solution mandates the combined resources and coordination of government and industry, within a practical framework that balances effectiveness with efficiency, and security with privacy and innovation. To reach that solution, we first need to understand the benefits, barriers and alternatives to effective coordination, and why the nature of the problem demands new and innovative forms of collaboration. In doing so, we will come to realize that the government and private sector already are innovating in the forms of collaboration necessary to address the cyber- security threat; next, the challenge will be to institutionalize and expand these means of working together […] Read more »