Breaking the public-sector/private sector stalemate in cyber security

Department of Homeland Security ICS-CERT

From Derek S. Reveron, the New Atlanticist:  As Cyber Command matures, it tends to dominate national cybersecurity discussions. Ellen Nakashima’s reporting notes coordination across the government occurs, but an anonymous official sees “DOD has the responsibility to defend the nation” crowding out the civilian departments of the government. Given how military commanders are as much policy entrepreneurs as warfighters, we should expect to see the military lead on cyber issues.

As cyber issues are increasingly securitized through law and integrated into national security bureaucracies, we must not overlook how cyberspace is different from land, air, and sea. The most important distinction is the essential role the private sector plays in creating, sustaining, and innovating in the cyber field. The world largely runs on Windows, people connect through Facebook, and Google is both a multi-billion dollar company and a verb. In spite of this, Jason Healey notes that governments must:

Break the fifteen-year public-sector/private sector stalemate.The need for information sharing and trust between the government and private sectors has been well known since before 1998, when US President Clinton issued a decision directive calling for cooperation. Yet nearly fifteen years later, the same findings surface in every exercise and report and are met with the same platitudes and saccharine commitments and action plans.

Recognizing the centrality of the private sector is fundamental. While cyber offense is king, cyber defense can be improved through better cyber hygiene by users and changing the incentive structure to reduce software vulnerabilities by producers. Just as there are regulations and fines governing use of the environment to reduce pollution, it might be time to explore ways for governments to impose costs on companies that enable intrusions through vulnerable software. Allowing the military or national security bureaucracy to dominate policy discussions will likely be insufficient in the cyber age.

Derek S. Reveron, an Atlantic Council contributing editor, is a Professor of National Security Affairs and the EMC Informationist Chair at the U.S. Naval War College in Newport, Rhode Island.  (photo: Reuters)

Image: icscert.jpg