The Defense Department has demonstrated the feasibility and benefits of public/private partnerships on cybersecurity, three experts write.
Michael Hayden was director of the National Security Agency, director of the CIA and principal deputy director of national intelligence. Samuel Visner is vice president and cyber lead executive at CSC. David Zolet is president of strategy and development for CSC's North American Public Sector.
The government warns Americans about health, pollution, weather and other threats. Why not cyber threats? Washington should begin sharing cyber warnings with those responsible for America’s critical infrastructure, from hospitals to water systems to banks. But the private sector should act on its own without waiting for the government.
Public/private partnerships are valuable tools for enhancing public safety and security. Through organized neighborhood watches, citizens report suspicious activities and receive better policing. Drug stores report data on the sales of certain pharmaceuticals, helping public health officials issue timely alerts about contagious diseases. Emergency management agencies and private suppliers of food and other consumables share information that helps them aid victims of natural disasters.
Cyber threats are growing. Advanced persistent threats already target the public and private sectors, with potentially dire consequences. Infection of a dam’s electronic control system, for example, could cause it to unleash cascades of water and destroy homes and lives downstream.
The code for the Stuxnet virus, which disrupted the industrial processes that control Iran's uranium enrichment, is now available on the Internet. Adversaries could adapt such tools to harm process-oriented infrastructure, such as chemical plants and electric power grids.
To protect against attacks, private-sector involvement is crucial. Private industry owns 85 percent of the country's critical infrastructure and deploys far more cybersecurity experts than the government ever will.
The Homeland Security and Justice departments counter cyber threats, but much more should be done.
As a first step, critical infrastructure operators and their IT providers should band together and establish a clearinghouse to share information on cyber threats and countermeasures. An umbrella cybersecurity operations center or a streamlined group of federated centers could oversee collaboration without raising antitrust obstacles.
A cyber partnership between the Defense Department and the private sector is a second way forward. The Defense Industrial Base program represents a growing commitment on the part of government and industry to work together to share information about threats and best practices to protect important unclassified data. Recently, then-Deputy Defense Secretary William Lynn pointed out that DOD shares sensitive data with private participants, who integrate it into their network defenses.
Lynn said DOD is now working with DHS and the White House to expand the pilot partnership to other sectors of critical infrastructure. It ought to be an urgent priority. New protections and incentives must guide voluntary information sharing. If the risks and consequences of cyberattacks are lowered, partners might qualify for reduced insurance premiums or incur diminished liabilities.
Finally, more operators of critical infrastructure should establish or gain access to round-the-clock cybersecurity operations centers. They would build on existing coordination efforts and link with a DHS integration center.
National security restrictions hinder the sharing of government cybersecurity data. After the 2001 terrorist attacks, the national security community began sharing more data so they could better "connect the dots." Similarly, security issues associated with sharing information on cyber threats are likely solvable.
Wider access to information and new concepts of public/private trust are essential for America to protect its economy and homeland security against tomorrow's cyber threats.