Beyond Information Sharing: Why Governments and the Private Sector Must Partner to Combat Cybersecurity Threats
As cybersecurity threats continue to proliferate, the need for greater collaboration between governments and the private sector grows more urgent. This means governments and companies need to do a better job of sharing threat information. Experts calling for a closer partnership between industry and government admit there remain barriers to such information sharing, however, especially as cybersecurity crosses into issues of national security. Nevertheless, it’s time to create a common framework for collaboration between public and private sectors when it comes to securing our national and global infrastructure. “No single organization, no single state, no locality can go at this problem alone,” said Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency (CISA) at the US Department of Homeland Security, in a recent podcast.
When asked how government and business can work better together to solve some of the biggest cybersecurity issues, experts gathered at this year’s WSJPro Cybersecurity Executive Summit in London responded with a mixture of urgency and caution. Top takeaways include:
Balance regulations and responsibilities. “Government and corporations must work together,” said Cultursys Chairman John Childress, whose company is focused on helping organizations reduce risk by using culture and behavior analytics and system modeling. “One of the key roles of government is to regulate, putting in checks and balances and controls. Regulators need to understand what businesses are trying to do and be cognizant of the accepted risks versus the unacceptable ones.” In particular, he noted that government and businesses need to collaborate much more closely to develop standards and regulations.
Bridget Kenyon, global CISO for Thales eSecurity, sees challenges in how governments and business deal with cyber threats. “Should governments regulate everything to within an inch of its life?” she asked. “That tends to restrict business flexibility and limit competitive advantage on a global scale. Or does government simply encourage businesses to embrace security and hope that market forces will drive results?” Both of these approaches have proved less than fruitful, she warned. “What’s needed,” she said, “is a better balance between regulation and corporate responsibility.”
Don’t forget small businesses. Many governments have focused their corporate cybersecurity support on the largest companies, particularly in critical sectors of the economy. Nic Miller, founder of cybersecurity firm Aedile Consulting, believes that support must include small businesses as well. “Over the past few years, some governments have begun to provide practical advice to smaller businesses,” he said. “This makes sense, because large companies have the budget to go to third-party providers who can offer many of the services…such as threat intelligence and active security defense. Many small businesses don’t have the money to hire a consultant but are desperate for clear advice from an independent, noncommercial source.” Governments, he suggested, are well suited to provide basic recommendations related to issues such as password health and two-factor authentication—things that smaller businesses “can easily implement to improve their security posture.”
Support innovation and testing. “Government definitely has a role to play in multiple ways,” agreed Tom Ilube CBE, CEO for cybersecurity technology and consulting firm Crossword Cybersecurity. “Deep in government, there are people who are well aware of cybersecurity challenges that are an order of magnitude more complex than what companies are facing. This gives government an opportunity to share insights into what’s coming over the horizon.” One of the important things in cybersecurity is having testing grounds, he added. “I think governments can play an important role in creating an environment of innovation and encouraging the cybersecurity startup sector.”
Remember the human cost. Despite the barriers, Lorena Marciano, EMEAR data protection and privacy officer for technology giant Cisco Systems, believes an open dialogue between government and the private sector is crucial. “We should be relying on the capabilities that enterprises have in terms of skills and knowledge and bringing that together with the architecture within government to improve speed,” she said. “We also need to remember that besides being a government or an enterprise, the fundamental piece is that cybersecurity impacts people and their lives. It’s important that governments understand we are all in this together to make sure that we create better and more secure lives for all citizens.”
The good news is that the private sector and governments are increasingly finding collaborative ways to fight growing cybersecurity threats. “Information sharing is the minimum bar,” CISA Director Krebs argued at the recent International Conference on Cyber Engagement in Washington, D.C. “We have to get beyond information sharing—even beyond information exchange—and we have to focus on operationalizing cybersecurity; operationalizing partnerships.”
David Pitlik is a long-time technology and business writer and frequent contributor to NETSCOUT’s blog.
Note: The information above is based on interviews conducted at the June 2019 WSJ Pro Cybersecurity Executive Forum by Wall Street Journal reporters on behalf of NETSCOUT
Watch interviews with WSJPro Cybersecurity Executive Summit attendees here.