Cyber partnership still eludes government and industry

Cyber threats won't get the concerted attention they deserve until industry and government learn to trust each other

At nearly every conference and congressional hearing on cybersecurity, officials emphasize the need for better cooperation between government and industry to deal with computer security threats. No such meeting is complete without a reminder that the majority of the country’s critical infrastructure — including power plants, telecommunications and financial institutions — is privately owned.

That emphasis makes new findings from the Government Accountability Office that the public and private sectors aren’t meeting each other's expectations for sharing cybersecurity data particularly unsettling, though not surprising. According to GAO, the amalgam of information-sharing councils and programs isn’t getting the job done.

Just 27 percent of the 56 industry representatives GAO surveyed said the government was giving them timely and actionable cyber threat information and alerts to a great or moderate extent. For their part, government officials said the private information technology sector was giving them only one of the 10 services that were expected.

GAO auditors concluded that without improvements in private- and public-sector expectations, the so-called partnerships will remain marginal, and “there is a risk that owners of critical infrastructure will not have the appropriate information and mechanisms to thwart sophisticated cyberattacks that could have catastrophic effects on our nation’s cyber-reliant critical infrastructure.”

The reasons are not hard to discern. Industry is wary of sharing sensitive information with government for fear of negative effects on their business. In a recent speech, FBI Director Robert Mueller tried to allay those concerns by saying, “We do not want you to feel victimized a second time by an investigation.”

Meanwhile, the government's penchant for classifying data poses barriers to sharing it with the private sector. “From an industry perspective, government has to be more forthcoming in sharing relevant threat information and not hide behind [the notion] that everything is classified, because it’s not,” said Robert Dix, vice president of government affairs at Juniper Networks.

The Catch-22 is hard to overcome. For instance, the government has identified 18 critical infrastructure sectors, and each sector has a council composed of industry officials and a council of local, state and federal government officials. The Homeland Security Department has issued the National Infrastructure Protection Plan (NIPP) as the framework for dealing with threats to that infrastructure — including cyber threats. 

However, critical information is often classified and resides outside DHS, said Michael Markulec, chief operating officer at Lumeta, which makes a network-mapping product and works with the Defense Department and federal intelligence and civilian agencies.

“So what happens is that you have a framework for having conversations, but the conversations you have aren’t necessarily the right ones,” Markulec said. “We’re not talking about persistent threat vectors, we’re not talking about the latest incursions, we’re not talking about intelligence that maybe is being centralized…and disseminated before attacks happen. And I think that’s where the breakdown is right now.”

Despite the need for improvement, the framework is yielding some good work, Markulec said.

There has been a lot of improvement, agreed Dix, who is chairman of the Information Technology Sector Coordinating Council's Executive Committee, which helped develop NIPP. He was also surveyed by GAO for its recent report.

“I think that what has been evolving in terms of the relationship between industry and government has improved dramatically, but there’s still a ways to go,” he said. “We’re not going to fix this whole thing overnight, but I actually believe there are some positive steps that are being taken in this collaboration between industry and government that aren’t fully acknowledged in the GAO report.”

The upshot is that officials in industry and government are likely to continue to stress the need for better public/private partnerships, but everyone — including government auditors — seems to agree that major progress is necessary. “All of this is grounded in a foundation of trust,” Dix said.

That kind of faith isn’t natural between regulators and the regulated. That’s why cybersecurity threats to privately owned critical infrastructure provoke such unique worries and atypical partnerships. That’s also why there will be many more hearings, conferences and GAO reports before the problems are resolved.


About the Author

Ben Bain is a reporter for Federal Computer Week.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group