Guest author Bruce deGrazia, JD, CISSP, is a collegiate professor of cybersecurity management and policy at UMGC.
Every day a new cyberattack takes place somewhere in the United States. These attacks can originate domestically or internationally, and their motives range from financial gain to state-sponsored, low-level warfare. Whatever the threat, the common thread is that there is no easy way to stop them.
What is the solution? We’ve seen policy approaches, including simple strategies such as training. We’ve seen technical approaches, such as stronger firewalls. Also in the national cybersecurity conversation is a discussion around what is known as the Orlando Doctrine, in which private organizations can legally target suspected hackers and destroy their infrastructure. None of these approaches appear to work, as successful cyberattacks have only increased, leading experts to search for other solutions.
One of those is the idea of public-private partnerships.
A public-private partnership takes various forms, from the sharing of costs and profits, as occurs with a toll road, to the sharing of information between the private sector and the government without the fear of liability for antitrust. It is the latter type of public-private partnership that has been proposed to address cyber-vulnerabilities and attacks. The question is: Will it work?
This idea is not new. As early as 2009—a lifetime in cybersecurity years—the Intelligence and National Security Alliance (INSA), a not-for-profit organization of private sector government contractors in the intelligence and national security fields, offered various models of how such a partnership would work. INSA looked at successful partnerships in fields other than cybersecurity to determine whether those approaches could be transferred. Ultimately, it proposed bringing together a series of panels, the members of which would encompass individuals, private sector companies and government organizations, to share information and draft voluntary standards for use across industry.
INSA’s proposal was good but was never implemented. To have done so would have required action not only by the executive branch of government, but also through legislation. In addition, the private sector, including internet service providers, would have needed to accept the concept of voluntary regulation. The information technology industry is vehemently opposed to regulation of any sort. Even voluntary standards were a non-starter.
Legislation has been proposed in Congress to create public-private partnerships for cybersecurity. In 2020 and 2021, the bipartisan Enhancing Grid Security Through Public-Private Partnership Act was introduced in both the U.S. House and Senate. This bill focuses on just a single industry—the electricity creation and transmission sector—but one that is seen as particularly vulnerable and for which a successful attack on the grid would have devastating consequences. Focus on preventing such an attack is a logical place to start.
The proposed legislation is hardly earthshaking. It simply directs the secretary of energy to create a program to develop a basic framework for auditing, self-assessments, training, sharing best practices and setting up third-party vendor guidelines. It also requests that the secretary of energy provide a report that evaluates policies and procedures for enhancing the cybersecurity of the grid.
So, what happened to the bill? In the previous Congress, it passed the House and was sent to the Senate, where it died in committee. In the current Congress, the bill has also passed the House and is back in the Senate—under consideration by the same committee that previously reviewed it.
Unfortunately, the outlook for public-private partnerships to advance cybersecurity looks dim. The most comprehensive proposal, that of INSA, appears to have gone nowhere. Even approaches that target a single industry, like the bill now in the Senate, are not assured.
Perhaps the public-private partnership is not the way forward. We need only look as far as the INSA proposal to see why. Voluntary regulation is unpopular. Industry does not like regulation in general and will use the process to delay any attempt to impose rules. The IT industry is notoriously independent and likes it that way. Also, because there are as many cybersecurity technology solutions as there are companies, competition among the creators of those solutions is fierce. Where would the “best practices” come from?
The bottom line is that the INSA and legislative approaches presuppose a high-level of voluntary cooperation between government and the private sector. In our competitive marketplace, that cooperation is difficult to achieve if a trade secret might be revealed or if a company might lose a strategic advantage.