Future of Public-Private Security Partnerships Still in Doubt

One of the most obvious and effective ways to curb increasing cyber security threats is for the private sector to join forces with public institutions to orchestrate a coordinated response. Yet despite clear support for such an approach, conflicting agendas and disagreements over standards have left obstacles on the path to create more fruitful public-private partnerships.

Given the surge in cyber security incidents and the diversity and complexity of the ever-expanding threat landscape, experts say it’s become an imperative for private companies, government, and technology providers to share data and collaborate on standards and solutions. Moreover, the target of state-sponsored attacks is increasingly not just clandestine government databases, customer data, or corporate intellectual property (IP), but rather, critical infrastructure like the energy grid, water supply, and financial apparatus—all entities predominantly owned by private enterprise.

Rallying both public and private troops has the greatest potential for minimizing such cyber threats because each brings a different set of knowledge, resources, and problem-solving skills to the fight, according to Bill Wright, director, government affairs and senior policy counsel at Symantec.

“Oftentimes, government has a different footprint on what visibility they have into threats and that’s complemented by the private sector’s footprint and visibility,” he said. “You combine the two and you get a much fuller picture of what the threat looks like.”

Wright pointed to the recent Dragonfly series of attacks on the global energy sector to illustrate the power of public-private sector collaboration for revealing patterns that wouldn’t be visible to any one company - in this case, that phishing attacks weren’t directed at individual targets, but instead were aimed at using those targets to disrupt the broader energy supply chain and ecosystem.

At the same time, more formal and consistent information sharing practices between government and the private sector can help individual companies avoid questionable practices and make better decisions, noted Megan Reiss, senior national security fellow at R Street Institute, a non-profit think tank focused on domestic policy. Specifically, Reiss pointed to recent reports that Facebook had entered into data-sharing partnerships with at least four Chinese electronics companies, including telecommunications giant Huawei, which has been identified by the U.S. government as a potential national security threat.

“A better public-private partnership between the government intelligence community and Facebook might have helped the firm make a different decision about who they go into business with,” she said. “It could prevent any bad publicity that they appear to be in bed with a bad actor.”

All Together Now

With so much to gain, why have public-private security partnerships been slow to form with limited results? The reason is twofold: Companies still carry misperceptions about the real security problem, and public-private entities have diverging standards for what constitutes adequate safeguards, according to Larry Clinton, president and CEO of the Internet Security Alliance.

“There’s a lot of focus on corporate malfeasance, but the real problem isn’t corporations stealing from consumer - it’s bad guys attacking government, companies, and consumer - we are all on the same side and we’re all using the same systems,” according to Clinton. “We need to collectively figure out a way to create a sustainable system out of something that is inherently vulnerable.”

Companies and government should be working together to create and integrate advanced technologies to shore up enterprise network and Internet security, but they also need to focus on economics and policy issues to create a sustainable system of cyber security. That becomes difficult to do because the private sector has a higher risk tolerance compared to government entities, which have to operate within much higher safeguards to meet national security guidelines, he explains.

To bridge the gap, Clinton advocates for things like tax and other economic incentives that encourage data sharing or implementing technologies that adhere to national security level-standards. “If you’re building an Internet of Things (IoT) product and you use state-of-the-art encryption, perhaps it’s a fast track for getting patents approved,” he said. “With some creativity and work, we can remake the system and provide economic incentives that don’t bankrupt government.”

Tech companies should also step it up and work more effectively to share data and pool resources to attack the problem. To that end, Symantec’s Wright says there has been significant progress made, pointing to initiatives like the Cyber Security Threat Alliance, which Symantec co-founded, as an industry model for information sharing.  Symantec also opened up a new privacy research center in Saarbrücken, Germany, working with public and private partners to empower customers to have more ownership over their personal information.

“We have come a long, long way, just going back three or four years in terms of sharing information,” said Wright, while acknowledging the need for better collaboration with government. “We’re still not sharing information or partnering with government as we should be,” he says. “It’s probably a matter of trust more than anything else.”

If you found this information useful, you may also enjoy:

• Ex-cyber chiefs of U.S., Israel Decry Threat Disconnect
• Taking Stock of the Changing Threat Landscape, Circa 2018