Modernizing Authentication — What It Takes to Transform Secure Access
WASHINGTON -- The notion that the government needs to establish firm and far-reaching partnerships with the private sector has become a key focus of the debate currently raging over federal cybersecurity.
Given that the private sector owns and operates between 80 percent and 90 percent of the nation's digital infrastructure, the military and civilian agencies realize that they can't go it alone in the face of ongoing and persistent threats from a multiplicity of attackers both at home and abroad.
The catch phrase, a mainstay in nearly every blueprint for federal cybersecurity, is "public-private partnerships."
"It's interesting that it's gotten to the point where it has its own acronym: P3. It's fascinating that it's gotten this status," said Harry Raduege, a retired Air Force lieutenant general who currently co-chairs the Commission on Cybersecurity for the 44th Presidency at the Center for Strategic and International Studies.
But Raduege, speaking at a government and industry conference on Thursday, said that how exactly those public-private partnerships should be constituted remains an unsettled question, and progress is slow.
"One thing that I'm hearing around D.C. from a few folks is that they're tired of P3," Raduege said. "They're not seeing enough results from it."
Senior government officials and experts from several departments were on hand Thursday to tout their efforts in working with contractors and operators of critical infrastructure to craft a cohesive approach to cybersecurity. But they acknowledged that they remain in the early stages, and that much more needs to be done at the regulatory and legislative levels to bring together two spheres that operate under different rules and cultures.
Many of the speakers at today's conference, hosted by the D.C. chapter of the Armed Forces Communications and Electronics Association, listed stumbling blocks in the federal approach to cybersecurity that are familiar frustrations for government contractors.
The procurement process, for instance, which in many agencies remains encumbered by decades-old procedural rules, is woefully unsuited to keeping pace with the quicksilver rate of change in the cybersecurity arena.
But at the same time, the rules in some cases are so well entrenched that efforts to reform or work around them can be "like trying to move an aircraft carrier with a rowboat," said Riley Repko, a senior Air Force advisor.
Several experts also warned of vulnerabilities in the supply chain, urging greater controls to guard against compromised hardware components or other vulnerabilities arriving pre-installed in imported equipment.
At the same time, new rules and regulations can erode an already fragile relationship between the public and private sectors.
"The problem is it's an incredibly delicate balance," said Ellen McCarthy, president of the Intelligence and National Security Alliance, a nonprofit private-sector coalition. "Government directives usually aren't received very well in the private sector."
McCarthy advised a flexible regulatory approach that would provide incentives for private-sector firms for adhering to higher security standards, suggesting tax breaks, safe harbor laws or preferred-status designations.
The idea of incentivizing more stringent cybersecurity standards has found its way into legislation currently pending on the Senate floor. There is broad agreement that the federal government, by virtue of its enormous purchasing power (a $76 billion annual IT budget), can sway private firms to improve security by making it a key criterion of the procurement process.
Members of the private sector have their own wish lists. Ed Mueller, the CEO of Qwest Communications International, chairs the president's National Security Telecommunications Advisory Committee, a body comprised of representatives from 22 businesses representing the defense, financial services, telecommunications and IT industries.
For infrastructure providers, such as Qwest, Mueller stressed the importance of extending some form of legal shield so that industry providers can have the confidence to disclose breaches or suspicious activity on their networks.
Similarly, he said that if a cyber attack were to take down large portions of a network, operators would be plunged into uncertainty over their ability under Federal Communications Commission regulations to ensure that critical traffic, such as government communications or public-safety transmissions, get through ahead of other data.
"While this seems easy, this is extremely difficult for us as a nation to get our heads around traffic management and the ability to control our networks in the event of an attack," Mueller said.
"We need to petition the FCC -- the federal regulators -- to affirm that network providers can lawfully do what's required and not be sued, or not be fearful that there will be a bad economic outcome for the private sector so we know how to do this kind of mitigation or solve this kind of problem in the networks."
The consensus, it seemed, is that there remains a considerable amount of uncertainty about the legal authorizations backing private-sector providers.
"In our country, even if legal, even if righteous, they're going to get sued. Who's going to stand behind them?" said Ret. Gen. Ronald Keys, a senior advisor at the Bipartisan Policy Center.
Earlier this year, Keys's group convened a war-game simulation where several high-ranking former government officials role-played how the National Security Council would respond to a major cyber attack. That exercise, dubbed Cyber Shockwave, highlighted the ambiguity of governmental authority to intervene in the private sector in the event of an attack.
Several cybersecurity bills in the Senate are aimed at addressing that shortcoming, and Majority Leader Harry Reid (D-N.V.) has signaled its interest in reconciling them before the year ends. Last week, Reid and the leaders of several relevant committees sent a letter to President Obama asking for the administration's input on the various legislative proposals.
Many conservative and libertarian groups have already expressed vehement opposition to any proposal to extend executive authority over private-sector networks.