Sharing of critical security information between the federal government and the private sector is an important part of protecting the nation's infrastructure and intellectual property from online attackers and thieves, but that knowledge flow isn't always smooth, NSS Labs said this week.
"It has been 10 years since the first national consensus emerged in the United States that more needed to be done to protect the national computer and communications infrastructure," NSS noted in a report.
"Yet," it continued, "we are still struggling to find and enable the right level of public/private cooperation and responsibility assignment to protect the nation's critical infrastructure, much of which is owned and operated by the private sector."
While acknowledging progress on information sharing in the financial services and defense industries, the report said much still needs to be done to enable near real-time situational awareness across the nation's critical infrastructure and to fully leverage U.S. government cyber intelligence capabilities for better protection.
The report found:
- Public and private sector actors often approach cybersecurity from different perspectives: government typically thinks in terms of worst-case scenarios, while the private sector thinks in terms of most likely outcomes.
- Private-sector participants require information that is specific, timely and actionable. Data provided by government sources can be generic, stale, heavily redacted or potentially classified.
- Liability concerns continue to retard broader public/private information sharing.
- Machine-to-machine cybersecurity information sharing is currently supported in only limited cases.
Although sharing implies transactions between equals, that's not the case with cybersecurity information, largely because public and private organizations have different wants and needs, and the government has the upper hand in getting what it wants.
"The whole goal of the private sector is to protect their intellectual property and the brand of their company," an author of the report, NSS Research Vice President Ken Baylor, said in an interview. "That's all they want to do.
"What the government wants to do is standardize how the private sector responds to cyber threats and make sure they respond well," he continued, "and that it's also a source of intelligence and information for them.
"What the private sector is absolutely terrified of is that the government will come in with a bunch of overreaching regulations that require them to do a bunch of things that aren't relevant to them, burdensome and of no value," he added.
A better understanding by government and industry of the relationship between security and compliance is important, added Phyllis Schneck, vice president and chief technology officer for the global public sector at McAfee. "A lot of dialog and collaboration is needed on how do we foster creative innovation to get the best security and not just compliance," she said in an interview.
"If you follow a series of regulations, you'll check off a series of boxes, and you'll get great compliance, but you won't necessarily be secure," she added. "Regulations move too slowly to protect against how quickly our adversaries are attacking us."
Public-private sharing is also imbalanced because not only does the government have the power to compel information from the private sector, but it also maintains a hoard of classified information that it can't or won't share. "It's a meeting of non-equals," Baylor said.
Public and private perspectives on cyber threats can also produce snags in sharing. "The public sector sees everything as a threat," Shane Shook, chief knowledge officer and global vice president of consulting at Cylance, said in an interview. "Whereas, the private sector differentiates between threats that affect their business and risks they're constantly being bombarded with, whether it be DDoS attacks, malware, script kiddies or hacktivists.
"The private sector takes the time to differentiate between threats and risks, while the public sector doesn't do that," he said. "It has a different kind of risk tolerance. It can't afford to ignore any kind of risk."
Read more about data protection in CSOonline's Data Protection section.