WASHINGTON – The government and business communities haven't always been comrades in arms in cyberspace, but officials in both sectors say that public and private organizations need to better coordinate to address the evolving digital threats to critical infrastructure
October marks Cybersecurity Awareness Month, an occasion Jay Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, greeted with a stark warning.
"We've been losing. We've been losing every step of the way. We are still losing today," Healey said at an event hosted by the Information Technology Industry Council and the law firm King and Spalding. "If anything, the bad guys are continuing to pull away from us."
In his public remarks on the issue, President Obama has framed cyber threats as an economic threat as well as a matter of national security, citing the monetary hit that businesses take when hackers steal intellectual property and breach their databases.
That positioning was reflected in the cornerstone of the administration's cybersecurity policy work to date – the voluntary cybersecurity framework of guidelines and best practices for protecting the areas of critical infrastructure operated by the private sector that the Department of Commerce released this February.
Earlier this week Obama hailed that framework, which emerged after meetings with thousands of stakeholders in industry and academia, as "a model of public-private cooperation."
Commerce Secretary Penny Pritzker and her top lieutenants have made digital issues an integral part of their economic policy work, according to DoC General Counsel Kelly Welsh. In that effort, he adds, the department treads a line between promulgating security standards and allowing for the fast-moving tech sector to develop at its own quicksilver pace.
"One critical challenge that we all face in doing that is how to protect against increasing cybersecurity risk without hampering the growth of our Internet economy," Welsh says. "We know that cybersecurity and innovation are not at odds. Solving the cybersecurity problem will require us to look beyond point-in-time solutions and focus on developing rigorous processes to stay ahead of the threat."
Solving Cybersecurity Requires Public-Private Partnership
Whatever a solution to the "cybersecurity problem" might look like, it will require closer collaboration both between government and the private sector and also among industry members to share information about emerging threats and vulnerabilities when the attackers so often seem a step ahead.
"Bad actors are sharing. That's how they get so good," says Bently Au, CISO at Toyota Motor Sales USA.
Opening the lines of communication on cybersecurity issues has been a work in progress. Those efforts took a step forward in April, however, when the Justice Department and Federal Trade Commission issued a policy statement outlining a framework for companies to communicate with one another about cyber threats without running afoul of antitrust laws, which business leaders have identified as a chief concern when considering information-sharing policies.
In the meantime, the National Institute of Standards and Technology, the division of the Commerce Department that issued the administration's cybersecurity framework, has put out a call for comments from businesses that have put the guidelines into place. Commerce describes the NIST framework released earlier this year as "version 1.0" in its request for information, and Welsh stresses that the administration is eager to receive and incorporate feedback from industry. NIST has scheduled a workshop Oct. 29-30 in Tampa to discuss the framework.
"We are still in the early stages of an ongoing process," Welsh says. "We will continue to need a sustained and fulsome dialogue between government and private sector to ensure the framework is a living document."