We've all heard the calls countless times for the federal government and private industry to work together more closely to improve information security across both sectors. Too often, these entreaties – some of which have been well thought out and supported by numerous groups and industry luminaries -- either have been completely ignored or else only half-heartedly taken up to any great effect. So, yet another appeal recently made by industry groups should come as no surprise.
The Business Software Alliance (BSA), the Center for Democracy & Technology (CDT), the Internet Security Alliance, TechAmerica and the U.S. Chamber of Commerce, last month released their plea for stronger IT security planning in the form of a white paper, “Improving our Nation's Cybersecurity through the Public/Private Partnership.” Having been in the works for some six months and purported to “build upon the conclusions of President Obama's Cyberspace Policy Review,” the paper covers a lot of ground, offering up a slew of recommendations to strengthen cybersecurity across the board. It touches on everything from creating and implementing a “National Cybersecurity Research and Development Plan” and establishing policies that would help “boost the number” of IT-related college grads to establishing processes that engage the international community to collaborate and develop standards on “issues of global concern.” Other areas discussed include supply chain security, information sharing and privacy, incident and risk management, and public awareness and education.
It's a considerable and even inspiring inventory of cybersecurity recommendations (one of which has been covered a great deal in the press – the idea of government approving of tax-breaks and other incentives to drive companies to be more secure). Mighty ambitious, too, considering that while it provides some meat on a few of the suggestions' bones, the to-do list offers scant real details about execution. These, undoubtedly, will be left to the continued collaboration involving other important partners that is implied in the paper's closing: “We look forward to working with the Executive Branch and with Congress to implement these recommendations to promote cybersecurity, spur innovation and protect privacy.”
But, exactly how will they work together? And when? Hasn't that been the problem all along? Despite the lip service given to this nebulous partnership concept over the years (which has covered calls to action ranging from business incentives to more stringent federal mandates to information sharing to the creation of public awareness campaigns), what really has seen the light of day?It was only a short while ago that the Center for Strategic and International Studies' Cybersecurity Commission for the 44th President was formed to give some detailed advice to President Obama “on the creation and maintenance of a comprehensive cybersecurity strategy.” Members of the Commission include standouts from the U.S. Congress, large private sector businesses, think-tanks and others. The roster is a who's who, really. And their recommendations were tight. But, what really has happened since that group made public its concepts some two years ago? Well, even in its most recent paper from January, the group admits the lack of progress:
“When CSIS published Securing Cyberspace for the 44th Presidency two years ago, cybersecurity was not a major issue for public policy. Along with the work of many others, our first report helped to change this. …We thought then that securing cyberspace had become a critical challenge for national security, which our nation was not prepared to meet. In our view, we are still unprepared.”
The Commission, as well, wants to use this year to really understand what (if any) progress has been made and where participants and the government must take action. The next step, of course, would maybe be, I don't know, real action.
At the same time, cybercriminals aren't slowing down. Heck, they're engaging in more action than ever. Think Aurora and Stuxnet. And, collaboration is their modus operandi. Take a look at the continuous evolution of SpyEye and Zeus, as examples. Then there are the arguably protest-driven incidents ending in embarrassing and revealing leaks of information – like HBGary or WikiLeaks.
Yes, it's great to see various groups, some agencies here and there and the odd lawmaker or government executive fleshing out some aims together. And these recommendations are admirable. But, don't we seem to have an awful lot of them floating around already? More importantly, when are we going to see something actually happen as a result of them? Sans real collaboration with the Executive Office and maybe Congress or some other agencies, we'll continue discussing theory after theory of how we can strengthen cybersecurity together with still little to show for it.And, as internet-borne bombs are relentlessly lobbed at both public and private entities, more talk is exactly what we could do without.