When federal officials began a series of public workshops on cybersecurity five years ago, they faced a business community deeply suspicious about the government’s intentions — was the Obama administration putting on a charade about security just to sell new regulation? — as well as its competence.
Last week in Baltimore, at a vastly expanded version of those early cyber workshops sponsored by the National Institute of Standards and Technology, many of the 700 or so industry leaders and security professionals in attendance appeared convinced.
“My impression is that industry groups are generally pleased with cyber partnerships,” U.S. Chamber of Commerce vice president for cyber policy Matthew Eggers commented.
“Fundamentally, public-private collaboration is always changing,” he said. “There isn’t one partnership model but many — just as there are numerous companies, sectors, and associations that work continuously with multiple government entities.”
NIST’s Matthew Barrett called the well-attended Baltimore conference “an affirmation that the model is vibrant and important and functional.” The event brought in leaders from all 16 designated “critical infrastructures,” such as the telecommunications, energy, financial and technology sectors.
Two of the “Big Five” tech companies that play huge roles in the digital economy — Microsoft and Google — made presentations on software and other issues. An Amazon representative was scheduled to present but ran into a scheduling conflict, while Apple and Facebook don’t appear to have sent anyone.
In the past, such nonparticipation could be explained by the tech-sector’s desire to keep an arm’s distance from Washington, one federal official said, but that stance has softened in recent years.
And, the official said, there was an intentional decision several years ago “not to lean too heavily” on the big IT firms. “IT is only one of 16 critical infrastructures and we didn’t want them to overwhelm the stew,” the source said.
Meanwhile, Barrett pointed to NIST’s updated cybersecurity standards and a panoply of other collaborative efforts on privacy, securing the “Internet of Things” of inter-connected devices, and other cutting-edge cyber issues that were discussed in Baltimore.
He acknowledged that people on the business side “are feeling maxed out and have to decide where to engage.”
But Barrett said of the public-private partnership model: “The private sector still wants it.”
Senior Department of Homeland Security official Bob Kolasky, who heads the new National Risk Management Center, called himself “an evangelist for the public-private partnership model,” and noted that mostly privately owned critical infrastructure “is the attack space for adversaries.”
Those companies, Kolasky said, must be brought “into the national security enterprise.”
Kolasky has seen first-hand the evolving attitudes about the government-industry relationship on cybersecurity: At a 2013 NIST-DHS cyber workshop in San Diego, Kolasky faced a near-mutiny from industry participants when he seemed to suggest DHS might monitor and assess companies’ individual cyber efforts.
Officials quickly walked it back.
Now, some of the highest praise for the current work on public-private cyber collaboration comes from veterans of the previous administration, who sometimes faced accusations of having a hidden regulatory agenda.
“For the most part, the public-private partnership is stronger than ever,” said Ari Schwartz of the firm Venable, who is a leader of the industry-based Cybersecurity Coalition and was a director of cyber policy in the Obama White House.
“The NIST Cybersecurity Framework demonstrates a great model for a successful partnership,” Schwartz said in an email. It’s “in widespread use among many industries,” and, for example, has strong support “in financial services and health care,” among others.
Schwartz added that DHS work on securing business supply chains — often cited as the key point of vulnerability — “shows that government realizes it can’t be successful in security without the private sector.”
Further, he pointed to an emerging Trump administration strategy on “botnets” — automated cyber attacks that hijack and make use of thousands or millions of unsuspecting computers — as demonstrating an approach where “agencies take leading roles but also defer to industry where appropriate.”
Christopher Painter, who was cybersecurity coordinator at the State Department under President Obama — and whose position was abolished by President Trump — said the partnership model “is evolving in the right way … but just saying the mantra doesn’t get you anything. What do you mean by information sharing? Sharing what and how? What are the government and industry roles in incident response?”
Painter said “different levels of awareness” across industries continues to pose a challenge to the collaboration model.
And looking ahead, the U.S. Chamber’s Eggers said clarity on government and industry roles is still needed in some areas, including on managing supply-chain risks and in sorting out the robust role the Trump administration wants the military to play in securing privately owned critical infrastructure.
“When you talk about cybersecurity, it’s inherently a public-private problem,” said Mike Hsieh of the Foundation for the Defense of Democracies, who is working on collaborative projects with the tech and defense sectors and government partners. He said Defense Department-related projects on research and technology over the past 50 years provide plenty of examples of successful uses of the partnership model.
“The equities are construed in different ways but you can’t get away from the public-private approach,” Hsieh said.
