As part of its effort to address national cybersecurity concerns, the Obama Administration is urging closer cooperation between the government and private industry.
These so-called public-private partnerships have a mixed track record in curtailing cyber-crime, and security experts said the Administration will have to go to great lengths to ensure its efforts are more successful than those in the past.
Cyberspace Policy Report
In a 38-page report released May 29 on the government's 60-day review of cyberspace policy, the Administration said the nation is at a "crossroads," where digital information permeates national life, but that it's also using infrastructure which is inherently insecure and vulnerable to attacks that can cause devastating disruptions.
To overcome these weaknesses, the report calls for closer cooperation and more robust information-sharing between itself and private industry. While the government has the responsibility to protect and defend the country against attacks, it's the private sector that builds and operates most of the systems, from computers and the software running on them to the telecommunications networks that connect them.
"Private-sector engagement is required to help address the limitations of law enforcement and national security," the report says. It goes on to say that leaders of various industries need to share more information about attacks and their financial impact.
Revisiting an Old Problem
Security experts say the report struck a familiar tone. "It's a fresh coat of paint on the same old stuff," says John Pescatore, vice-president for information security research at Gartner (IT). Eleven years ago, President Bill Clinton signed Presidential Decision Directive 63, which among other things called for public-private partnerships to protect critical infrastructure.
The main result was the creation of several Information Sharing & Analysis Centers, or ISACs, meant to bring together executives from private industry and government to share information about attacks and vulnerabilities. Several ISACs were created in industries such as electricity, water, and public transportation.
All of them, except for the one created for the financial industry, effectively failed, Pescatore says. "In the ISACs, the government basically wanted companies to give it lots of information without getting anything back in return," he says.
And companies that have participated are loath to disclose sensitive information about attacks because doing so might also lead to the disclosure of trade secrets and other proprietary information. Companies reporting data theft often don't trust the government to keep their sensitive information out of the hands of the public and competitors; many computer crimes go unreported as a result. Some companies have also worried that sharing too much information with participating competitors might be interpreted as collusion under antitrust laws.
How to Foster Trust
Not all of the ISACs met with failure. In the financial industry, banks and credit-card companies are inherently interdependent, Pescatore says. "Security problems and fraud [are problems] they all have to deal with," he says.
The Obama Administration will need to foster trust among parties that share information, says Richard Forno, a principal consultant with KRvW Associates, an information security firm based in Alexandria, Va. "For this to work, everyone has to come to the table and bare all," Forno says. "There has to be a level of trust among the key players. The government can't just step in and mandate what information they have to share and expect the process to work." The government's report appears to acknowledge the challenge it faces. "Government should work creatively and collaboratively with the private sector to identify tailored solutions" that will enable industries to share information easily, the report says.
Corporations may have little choice but to cooperate with the government and each other. "The threat has exponentially increased," says Phil Bond, president of TechAmerica, a trade group that represents the U.S. technology industry. "No one is pretending that this process is going to be easy. A company has to protect its proprietary information, but the flip side is that you have to find a way forward."
Leading by Example
One important step the government can take to encourage better information security is to lead by example, Gartner's Pescatore says. "When the government uses its buying power to improve its own security, that has an effect on the private sector, because better products tend to become more widely available to private companies," he says.
Case in point: The U.S. Air Force bought a specially made, super-secure version of Windows XP from Microsoft (MSFT). In another case, the government mandated that all its Web sites in the .gov domain use a technology that defends against certain kinds of Web attacks, boosting interest in the technology—known as DNSSEC—by the private sector. In a third case, after the Veterans Administration reported the loss in 2006 of a notebook computer containing data on 26 million veterans, the federal government's Management & Budget Office ordered that government notebook PCs have data-encryption software installed to render data useless to anyone other than its owner. Private industry took note and started buying more disk encryption tools.
As vigilant as the government may be, it's well advised to partner with the private sector. True, companies tend to spend little on information security—as little as 0.2% to 0.4% of total revenue, according to figures provided by Pescatore. Even so, companies often understand their information security needs better than government agencies do. "When companies come under attack, they start losing money instantly, so they all buy better protection," he notes.
Hesseldahl is a reporter for BusinessWeek.com.