Much recent talk and writing has focused on the continued need for “real” public-private sector cooperation in the cyber realm. Everyone quotes the famous statistics that 70 percent (or 80 percent, even 90 percent) of our critical infrastructure is owned or controlled by the private sector, and all of that is highly dependent on cyber means to do business. How can the government protect this private infrastructure it if it does not own it?
Well, the government does not have a real chance of protecting it if the private sector “owners” and the “protectors” don’t share information in an open and efficient manner. This is an old song folks, but it remains true nonetheless. Both sides are at fault and need to make changes.
On the government side, they remain reluctant to share intelligence about threats and previous attacks. The old worries about sources and methods still handcuff the intelligence community, and they constantly point out that private companies don’t have a “need to know.” That is interesting, but no longer terribly relevant.
Certainly, we need to be cautious about how we present this information to the public, but we remain way too insulated. The reports don’t need to be printed in the papers, but they should be shared with CISO’s and other key players. That would allow the private sector to better protect itself and would spur innovation to get ahead of the bad guys.
On the other hand, the private sector companies who have been hit are abysmal at sharing data when they have been penetrated or attacked. They worry bout losing face or business credibility, or that giving data to the government will make their proprietary information subject to FOIA requests by their competitors. The government will never be able to formulate successful defensive methodologies if they don’t get access to ALL the types of nefarious activities that are going after our infrastructure.
The government must find acceptable ways to get the intelligence out to the private sector and to protect private sector information they receive. The private sector, however, has to man up to reality when they are hit and share that information, even if it hurts a bit. To do otherwise hurts us all. There needs to be a way to protect the private sector information in the same way we now protect sources and methods of the IC.
Both sides of the equation need to give ground or the country is the loser. The only ones who win are the bad guys. Let’s grow up and start sharing – NOW.