Whatever happened to the public-private partnership? There may be a disconnect between what the private sector says is necessary to better secure cyber space and what the government is willing to do, according to a piece the LA Times runs today highlighting a rift between cyber experts among the private sector and the government, suggesting the latter is not taking the threat seriously.
Is this a symptom of Administration fatigue, wherein the political appointees assume they can’t make progress this late in the game so why try? Or is this a tough love approach wherein the Administration actually wants the private sector to secure its own dang databases?
Jerry Dixon, the previous director of the National Cyber Security Division at DHS is quoted as assessing that “Nothing is happening.” He believes that Washington needs to do much more to protect consumers, businesses, and the government from cyber attacks by criminals, state-based or rogue.
The report suggests two reasons for how we got here: First, the government embraces the notion that the private sector is better suited to deal with this problem. Second, because so many people are in charge of cyber, no one is.
Personifying the hands-off approach, the Director of the National Cyber Security Center (located at DHS) delivered a keynote address at this month’s Black Hat convention in Vegas. His remarks there discussed economic theory, why Abraham Lincoln was the nation’s “first wired president,” and that the financial industry and others needn’t spend more on cyber security than they already do.
The LA Times quotes from his speech, “Over time, the banking industry is pretty rational. So they’re probably doing a good job on investment.” He added that “private security spending in general was probably at about the right level.”
Apparently this was not the answer experts were seeking. The story describes how executives in attendance “grumbled that Lincoln had nothing to do with protecting their corporate networks.”
We’ve covered here the ways on which DHS needs to get its own house in order with respect to organizing for the cyber security mission. But the entire cyber landscape is by design a daunting complex of authorities and interests that fail to fit neatly into a box. DHS oversees protection of government networks. The FBI and Secret Service prosecute perpetrators of cyber crimes. The State Department is involved if a case crosses national boundaries. The role of the armed services is more complicated as described in this post about how to measure cyber attacks in comparison to armed attacks. Moreover, the Internet’s infrastructure is mainly owned and operated by the private sector.
Dixon makes a point that is at the heart of the problem: lack of leadership. The private sector will not spend on security that doesn’t have an obvious and immediate benefit to the bottom line without a coordinated rationale provided by the public sector because the government has no competitive dog in the fight. (It is one thing for Citi to suggest that all banks should beef up cyber security attribution capabilities and quite another for the government to do so.)
“The biggest thing we’ve noted is the lack of a guiding Net plan that includes privacy and infrastructure security,” Dixon said. “We need an overarching cyber doctrine that’s shepherded by the White House.”