I recently had an opportunity to speak to a group of cyber security leaders from across industry and government who had gathered at the Army Cyber Institute in West Point, N.Y. Much of the day was focused on the importance of public sector and private industry working together to defeat our common cyber adversaries. My remarks, however, focused on just how hard that collaboration will be under current circumstances. One thing holding back meaningful progress to that end is a profound lack of transparency.
Each side has different objectives, agendas and approaches, leading to the Kafkaesque result we find ourselves in today. Without better defined roles and responsibilities, it is unlikely we will ever develop appropriate expectations of one another. It’s even less likely we will develop the necessary sense of trust, a foundational ingredient to constructive partnership.
And so, here are a few areas where we should “un-blur” the lines:
- Intelligence gathering, while controversial, is an inherently governmental function. It is imperative that intelligence efforts be clearly separated from information assurance efforts, and appropriate barriers be taken to assure that the latter isn’t hampered by national efforts of the former. To be certain, the United States may have great cyber skill in the intel community, and intel can and should inform information assurance efforts, but there can be no confusion about authorities, responsibilities or purpose of use in national information defensive efforts.
- Similarly, government, intelligence and defense communities cannot and should not be in the business of defending private sector networks and systems. That is a slippery slope, creating moral hazard for the private industry’s network defenders and an impossible task for the government.
- Legislation and regulation are critical governmental authorities and responsibilities. While these areas risk unintended consequences, there is greater risk in inaction. Such efforts are not in lieu of free markets, but rather to help achieve balance. Among these is the need for greater transparency, especially into breaches, among other things, whether breaches affect personally identifiable information or not.
Private businesses, as the owners and operators of so much of the national infrastructure, are responsible for securing it. Industry needs to take responsibility for its own cyber defenses, and not abdicate that responsibility to the government. Today’s reality is that technology risk is business risk!
Developing critical security technologies and driving innovation is an area of significant private investment. Industry needs to evolve its strategies and tools. For too long, private enterprises have settled for iterative baby steps in innovation while our adversaries stride past us.
Companies must also take an active role in the cyber strategy and policy debate. The results of those debates affect us and indeed, the whole world. Sitting on the sidelines wringing hands is behind us.
I don’t profess to have all the answers, but it’s important to move this idle dialogue forward. Clear roles and responsibilities are prerequisites to establishing trust and meaningful partnership.