Secretary of State Hillary Clinton has commendably warned states, terrorists and their proxies that America will protect its computer networks. To do so, however, the federal government must do much more to reach out to the private sector, which controls the vast majority of U.S. critical infrastructure, from banks to communications to energy.
Cyber security affects every American. It enables the operation of nearly every part of the economy, from banking to manufacturing to retail to health care. Numerous critical infrastructure systems (electrical, fuel distribution, transportation, communication, financial and more) can go dark, collapse, derail or explode if their networks are subverted.
Classified national security activities are generally well protected, so hackers focus on other sensitive but potentially more vulnerable networks and information. Recent attacks on Google in China and last year on the U.S. and South Korean governments show the sharply escalating threat.
Cyber public-private partnerships -- arrangements between government and private organizations to leverage the skills and assets of each -- are a vital piece in any effective defense strategy. Each partner shares in the risks and the rewards, and together they seek to protect the public good and private property.
In the cyber domain, the public and private sectors are deeply intertwined. Banks and government entities conduct secure electronic funds transfers. The private technology industry, several federal government agencies, and the U.S. Department of Energy National Laboratories drive cyber science and technology. The secretary of Homeland Security is charged with leading and integrating federal, state and local government and private sector efforts to protect critical infrastructure and key resources, including cyber resources.
In this highly interdependent and technologically dynamic environment, public-private partnerships offer the best way to mobilize agile, state-of-the-art and scalable resources to protect against and mitigate the risk of cyber attacks.
Traditional government regulation is more suited to less dynamic challenges. For example, the U.S. Department of Homeland Security (DHS) issues chemical facility anti-terrorism standards for facilities that manufacture, use, store, or distribute certain chemicals at or above a specified quantity. Standards may remain essentially the same for months or years.
In the cyber domain, new types of threats emerge suddenly and frequently. They require swift analysis, response and mitigation. In this domain, regulation can be used to set long-term standards regarding the level of protection required, but effective public-private partnerships can rapidly respond to a dynamic threat.
Expanded partnerships can foster better cyber security outreach and be an efficient channel for wide sharing of information and analysis of threats and defensive best practices. Several existing partnership models offer useful precedents.
Through the Civil Reserve Air Fleet, selected aircraft from U.S. airlines are contracted to support Defense Department airlift requirements in emergencies. Standards are met for equipment, readiness, and safety. Airlines are compensated to meet them, and participation does not compromise their commercial operations.
Another model is the Defense Industrial Base Pilot Program, a new partnership that enables the Defense Department and the defense industry to share sensitive information on cyber threats and best practices while respecting national security and private proprietary interests.
These partnerships have common success factors: collaboration in which requirements are identified and accepted, standards are developed, information is disseminated and capacity is identified and managed.
Public-private partnerships can protect U.S. interests abroad. Secretary Clinton announced a new, high-level effort to build a partnership for Internet freedom. This initiative should include a cyber security partnership to help Americans overseas. The Department of State's Overseas Security Advisory Council, with more than 3,500 constituent member organizations, promotes security cooperation with U.S. private sector interests worldwide. It could be the basis for a vibrant cyber partnership.
In fields involving complex technology, independent standards and certification authorities play valuable roles. For example, the respected National Institute of Standards and Technology and the Institute of Electrical and Electronics Engineers play key roles in developing technical requirements and assessing vulnerabilities and best practices for cyber security. Relying on them, partnerships and governments can establish measurable goals, identify weaknesses and develop remedies and preventive measures.