Why government should let industry drive cybersecurity

Kiersten Todt  

Kiersten Todt, formerly executive director of a federal cybersecurity panel, advocates for the private sector to take the lead on protecting computer networks.

The expression "public-private partnership" in cybersecurity has reached the point of being a meaningless cliché and needs to be replaced with a new focus on government collaborating with and facilitating industry, say agency officials and industry leaders.

Whether the topic is threat information sharing, identity management, internet of things security or protecting critical infrastructure, the government must think about these challenges from the private sector's perspective, said New Jersey CTO David Weinstein during a June 30 New America Foundation panel on cybersecurity.

"Government needs to play more of a role of incentivizing industry," he said. "If this is really going to be successful, industry needs to drive it...that includes the academic and research communities."

"NIST was so successful because we let industry lead it," said Kiersten Todt, who was the executive director of the Presidential Commission on Enhancing National Cybersecurity.

Panelists said government should focus on a few key areas, like harmonizing the patchwork of state laws on breach notification, agreeing to identity management standards or, in the nearer term, developing IoT security standards.

Todt warned that if the private sector sits back and waits for government to come up with policies and solutions for things like cyber insurance, "we're never going to get there. We have to let industry lead some of these efforts and use government as a convening authority."

But she and co-panelist Rick Howard, chief security officer of Palo Alto Networks, said the obstacle has been finding a mechanism for government to work with industry.

"How do you build trust with people you don't like?" posed Howard. "That's really what it is -- people that you have an antagonistic relationship with."

He and Todt both argued that information sharing is not working right now.

"The challenge that we continue to have from the government is bulky data being distributed in a fire hose without context, without the narrative," Todt said. "None of this is valuable."

She said that the classification system creates a dynamic where the government can also be so slow to share information that by the time it does the private sector has already discovered it on its own.

"We have to clean up the classification system because right now it appears that classification is used as an excuse to protect information that government hasn't truly organized," she said.

Todt did express optimism that the Trump administration's cyber executive order goes a long way towards enshrining a risk management approach in government, mapping out better roles, responsibilities and authorities in government.

Weinstein said what the EO fails to do is better leverage state and local governments, which he said are an untapped resource. He argued that the federal government should do more to empower and fund state and municipal governments that are much closer to industry.

While Todt said the EO make progress, she warned that it leaves a great deal unresolved because it created a number of working groups and reports. It is not clear what role industry is playing in shaping those reports and the policies that will eventually come from them.

"The roles, responsibilities, accountability, that's in [the EO]," she said. "But seeing how that will be executed, whether that's through a report, but more importantly through policies, is where the rubber hits the road."

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Mon, Jul 3, 2017 John Metelski us

Is George Schmidt George Washington; Is Tim Cook Thomas Jefferson? Hardly. They are the tool makers. The challenge of the third millennium will be how to adapt to achieve happiness for the masses which, as history has repeatedly shown, cycles about evenly between war and peace.

Sun, Jul 2, 2017 Michael DeKort

Lockheed Martin C4ISR/Cybersecurity Engineer and Whistleblower This article is ABSOLUTE NONSENSE ! The FACT is that most commercial and government organization purposefully avoid several critical best practices like Privileged Account Management because of the loop holes "frameworks" and "guidance" provide. Unless specific and actionable practices are mandated these folks will continue to bean count and avoid doing what is right. Why? There is not enough room to explain here. Please see my LinkedIn article Privileged Account Security – The Giant Dirty Secret in most organizations cybersecurity. Why isn't it being addressed? Lack of Courage.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group