Monday the House Homeland Security released a new GAO study: Key Private and Public Cyber Expectations Need to be Consistently Addressed.
The Government Accountability Office reports that the private sector is disappointed in the public sector and the reverse is also true. From the report:
Private sector stakeholders reported that they expect their federal partners to provide usable, timely, and actionable cyber threat information and alerts; access to sensitive or classified information; a secure mechanism for sharing information; security clearances; and a single centralized government cybersecurity organization to coordinate government efforts. However, according to private sector stakeholders, federal partners are not consistently meeting these expectations…Public sector council officials stated that improvements could be made to the partnership, including improving private sector sharing of sensitive information. Some private sector stakeholders do not want to share their proprietary information with the federal government for fear of public disclosure and potential loss of market share, among other reasons.Without improvements in meeting private and public sector expectations, the partnerships will remain less than optimal, and there is a risk that owners of critical infrastructure will not have the information necessary to thwart cyber attacks that could have catastrophic effects on our nation’s cyber-reliant critical infrastructure.
Our daughter just celebrated her first wedding anniversary. I recently asked, “Have you uncovered any big expectations either of you brought into the marriage unrecognized by the other?” I will not share her answer. But many of us have been there and have our own answers.
Reading the GAO study, one cyber-partner expects the other to be brilliant, efficient, and consistently effective. Meanwhile the “brilliant” cyber-partner expects the other to be generous, trusting, and communicative.
Sounds entirely like too many just married couples. We’ve been at this for nearly nine years now. Where’s the realism?
The GAO reports, “The two most expected services private sector stakeholders want from their federal partners are timely and actionable cyber threat and alert information—providing the right information to the right persons or groups as early as possible to give them time to take appropriate action. The percentages of private sector survey respondents reporting that they expect timely and actionable cyber threat and alert information to a great or moderate extent were 98 and 96, respectively.”
Sounding like a tough marriage counselor the GAO writes, “Only 27 percent of private sector survey respondents reported that they were receiving timely and actionable cyber threat information and alerts to a great or moderate extent.”
I’m amazed the percentage is so high. If I would take my wife’s top two expectations of me and she could confidently say I was regularly meeting those expectations 27 percent of the time… even if only to a “moderate extent.” Well, she would probably be thrilled.
Most of the time the public sector has nothing specific to tell the private sector regarding an actionable cyber threat or alert. Most of the time the private sector will know about the threat before the public sector.
When the GAO asked public sector cyber-professionals about their private sector partners even more good news emerged. “Many government councils reported that the private sector is mostly meeting their expectations in several areas… Four of the five government councils stated that they are receiving commitment to execute plans and recommendations and timely and actionable cyber threat information to a great or moderate extent.” Without my ellipses the tone of the GAO report is more negative. But the quote above is much more honest than quotes on most movie ads.
Despite the basically good news, the public sector wants the private sector to share more. (Isn’t that what the private sector is asking from the public sector?) “One issue is that private sector stakeholders do not want to share their sensitive, proprietary information with the federal government. In addition, information security companies could lose a competitive advantage by sharing information with the government which, in turn, could share it with those companies’ competitors. In addition, according to DHS officials, despite special protections and sanitization processes, private sector stakeholders are unwilling to agree to all of the terms that the federal government or a government agency requires to share certain information.”
Other than FOIA, Congressional hearings, and WikiLeaks what could those pesky private sector folks be worried about?
There are some real challenges. Read the GAO report. Sure, improvement is possible. But what I read — admittedly between the lines — is the description of an amazingly productive relationship… especially if the two parties don’t focus too much on their unrealistic expectations of each other.
The following is from another website with a very different mission than HLSWatch, but in this case the advice seems appropriate:
It’s okay to have expectations. Everyone does. However, the expectations need to be achievable or the sense of disappointment, disillusionment and despair from failed expectations will bring (the relationship) to the point of wanting to call it quits.
Hopefully, your expectations will include being able to… resolve conflicts, to appreciate your differences… to respect one another, and to be able to discuss values and priorities.
It is very important to be able to identify and actually talk about expectations with one another. Together you can fine tune your expectations so that neither of you are trying to live up to something that is impossible.
I had finished the preceding before reading Mark’s Wednesday piece. If you have not, just keep reading below. Mark and I don’t know each other, live on opposite coasts, and usually start from very different places. Somehow we keep meeting along the way. After awhile recurring coincidence may suggest an emerging pattern.