The federal government is currently handicapped in a way it has not experienced before. Because the digital domain is man-made, governments around the world have different levels of access and freedom of movement within it. In western democracies, the vast majority of the digital domain is privately held and, thus, outside of the direct control of their respective governments. In most of these countries, even the backbone of the internet is outside of the government’s purview in all but the most extraordinary emergencies. This means that federal governments cannot effectively operate to provide the same levels of security that exist in the physical world.
This fundamental paradox of government power (or lack thereof) makes partnerships between the federal government and the private sector imperative. Without them, the government cannot effectively provide even the most basic levels of security for their populations. This is also fundamentally not a problem that can be solved through expanded legislation, as the access that would be required for the government to do this on its own would be a real and sizable threat to Fourth Amendment protection against unreasonable search and seizure in the U.S. This means the government must work collaboratively with the private sector in ways it never has before.
This dynamic is one that the private sector must also embrace. The daily cybersecurity battle is being waged on their networks. They are the predominant victims of this unregulated domain, so anything they can do to work collaboratively with the government is in their own best interest. Unfortunately, in general, and especially in the U.S., the public and private sectors are at best ambivalent toward each other and, in many cases, directly adversarial. Regulation generally curtails profit and increases companies’ operational burden.
The current U.S. presidential administration is using a combination of carrots and sticks that is exacerbating this adversarial relationship. The more the government talks of regulation, mandating reporting of activities during a live incident and other requirements for the private sector, the further they are pushed from willing cooperation. While CISA is attempting to bridge the gap with key stakeholders, the traditional levers of government are largely counterproductive and require more outside-the-box thinking in organizations that are traditionally resistant to change and risk. Moving beyond past suspicions will take time and a concerted effort on both sides.
The fastest way to jump-start this growth is by reforming the federal hiring program for cybersecurity talent. Nothing builds bridges faster than having shared experiences. A bidirectional flow of technical talent between the federal government and the private sector builds trust and confidence in ways that no mandated or institutionalized program can. Furthermore, making connections based on shared experience makes the act of cooperation far easier. When the federal government asks for support, their typical processes and their motives are often opaque (with good reason). If a private-sector organization doesn’t have someone who can translate the request or provide general context, those requests are often met first with skepticism and then with legal counsel. With a little bit of understanding of the why as well as explanation about the limitations of what the government can do, the private sector is much better situated to provide the assistance that the federal government genuinely needs.
Additionally, the private sector benefits greatly from this knowledge transfer in two primary ways. First, they are able to get highly-trained employees that have access to cybersecurity threat data that very few people outside of the government ever have access to. Second, these employees also bring a wealth of knowledge and connections around the regulatory space that can help companies build a more nuanced practice when dealing with regulatory risk in this space.
Fundamentally, if the U.S. government wishes to be successful in the digital domain, it will require a complete rebuild of how it tries to provide security to its citizens. The private sector is the linchpin of any successful strategy and, in many ways, it is actually the more powerful player due to its ownership of the battleground. Without a reimagined way of interacting that allows for mutual trust, respect and, ultimately, successful outcomes, the private sector will start to solve this cybersecurity problem on its own in ways that the federal government cannot keep up with. That will only create a more unstable and hostile domain for everyone.
By Security Boulevard