In a new report, the Government Accountability Office found that neither the federal government nor private sector stakeholders are satisfied with the other’s performance in the public/private partnership to secure cyberspace.
However, the private sector expects more from and receives less from the public sector, with only 27 percent of survey respondents from the private sector reporting that they were receiving timely and actionable cyber threat information and alerts, and just 16% of respondents reporting access to classified information. While four out of five public sector councils surveyed reported satisfactory access to actionable information and commitments to execute response plans in the event of attack, most noted that the partnership could be improved.
Part of the problem is that neither side is prepared to open its information networks to the other. Private-sector stakeholders are concerned about sharing sensitive information with the federal government. “Information security companies could lose a competitive advantage by sharing information with the government which, in turn, could share it with those companies’ competitors. In addition, according to DHS officials, despite special protections and sanitization processes, private sector stakeholders are unwilling to agree to all of the terms that the federal government or a government agency requires to share certain information.”
Likewise, the federal government is reluctant to share sensitive data with the private sector, and in some cases is prohibited from doing so. “Private sector stakeholders are not consistently receiving their expected services from their federal partners because, in part, federal partners are restricted in the type of information that can be shared with the private sector and lack an understanding about each sector’s specific information requirements.” Also, since many private sector stakeholders interact with many agencies, there is a major risk of duplication of efforts and inconsistent information sharing.
Another problem identified by GAO is the lack of communication between government and industry about what information and services are needed by each stakeholder. While the private sector mostly gets high marks from the government, some public sector councils report that they are not receiving critical services and resources expected of the private sector. For example, while the public sector communications council gave the private sector perfect marks for cooperation, the banking council reported that it was only receiving “some” actionable cyber alerts, participation and planning for cyber exercises, cooperation with international partners, and willingness to open networks to vulnerability testing. “Most government council representatives stated that they expect better communications and increasing trust between them and their private sector counterparts.”
The feeling is mutual, as “ISAC officials stated that the federal partners are not providing enough cyber threat information that is tailored to their sector’s needs or analytical alert information that provides the tactics and techniques being used by cyber threats. According to these ISAC officials, this more specific information is needed to understand what actions will likely protect their networks.”
To ameliorate these problems, GAO recommends that the Cybersecurity Coordinator and Secretary of Homeland Security use this report to focus their information-sharing pilot programs on the most desired services and build out the National Cybersecurity and Communications Integration Center as a focal point for secure information sharing. Only 16% of private-sector partners reported access to secure information sharing services, and a centralized data center could solve that problem as well eliminate the risk of providing inconsistent information to the private sector.
Until a secure and centralized way to share data is developed, it will be impossible to build the trusted relationships that are key to cybersecurity, as Melissa Hathaway pointed out in May. “We can no longer afford to fall short of operationalizing the private-public partnership and secure our Nation’s networks,” she writes. Hopefully, these recommendations will move us a step closer to securing our critical information networks.