Teaming up for security

Secretary of State Hillary Clinton has commendably warned states, terrorists and their proxies that America will protect its computer networks. To do so, however, the federal government must do much more to reach out to the private sector, which controls the vast majority of U.S. critical infrastructure, from banks to communications to energy.

Cyber security affects every American. It enables the operation of nearly every part of the economy, from banking to manufacturing to retail to health care. Numerous critical infrastructure systems (electrical, fuel distribution, transportation, communication, financial and more) can go dark, collapse, derail or explode if their networks are subverted.

Classified national security activities are generally well protected, so hackers focus on other sensitive but potentially more vulnerable networks and information. Recent attacks on Google in China and last year on the U.S. and South Korean governments show the sharply escalating threat.

Cyber public-private partnerships -- arrangements between government and private organizations to leverage the skills and assets of each -- are a vital piece in any effective defense strategy. Each partner shares in the risks and the rewards, and together they seek to protect the public good and private property.

In the cyber domain, the public and private sectors are deeply intertwined. Banks and government entities conduct secure electronic funds transfers. The private technology industry, several federal government agencies, and the U.S. Department of Energy National Laboratories drive cyber science and technology. The secretary of Homeland Security is charged with leading and integrating federal, state and local government and private sector efforts to protect critical infrastructure and key resources, including cyber resources.

In this highly interdependent and technologically dynamic environment, public-private partnerships offer the best way to mobilize agile, state-of-the-art and scalable resources to protect against and mitigate the risk of cyber attacks.

Traditional government regulation is more suited to less dynamic challenges. For example, the U.S. Department of Homeland Security (DHS) issues chemical facility anti-terrorism standards for facilities that manufacture, use, store, or distribute certain chemicals at or above a specified quantity. Standards may remain essentially the same for months or years.

In the cyber domain, new types of threats emerge suddenly and frequently. They require swift analysis, response and mitigation. In this domain, regulation can be used to set long-term standards regarding the level of protection required, but effective public-private partnerships can rapidly respond to a dynamic threat.

Expanded partnerships can foster better cyber security outreach and be an efficient channel for wide sharing of information and analysis of threats and defensive best practices. Several existing partnership models offer useful precedents.

Through the Civil Reserve Air Fleet, selected aircraft from U.S. airlines are contracted to support Defense Department airlift requirements in emergencies. Standards are met for equipment, readiness, and safety. Airlines are compensated to meet them, and participation does not compromise their commercial operations.

Another model is the Defense Industrial Base Pilot Program, a new partnership that enables the Defense Department and the defense industry to share sensitive information on cyber threats and best practices while respecting national security and private proprietary interests.

These partnerships have common success factors: collaboration in which requirements are identified and accepted, standards are developed, information is disseminated and capacity is identified and managed.

Public-private partnerships can protect U.S. interests abroad. Secretary Clinton announced a new, high-level effort to build a partnership for Internet freedom. This initiative should include a cyber security partnership to help Americans overseas. The Department of State's Overseas Security Advisory Council, with more than 3,500 constituent member organizations, promotes security cooperation with U.S. private sector interests worldwide. It could be the basis for a vibrant cyber partnership.

In fields involving complex technology, independent standards and certification authorities play valuable roles. For example, the respected National Institute of Standards and Technology and the Institute of Electrical and Electronics Engineers play key roles in developing technical requirements and assessing vulnerabilities and best practices for cyber security. Relying on them, partnerships and governments can establish measurable goals, identify weaknesses and develop remedies and preventive measures.

For government, partnerships are a cost-effective force multiplier for cyber defense. They cost the taxpayer very little and are an easy way to extend the government's effectiveness throughout private activity.

The Obama administration should drive an urgent effort to expand public-private partnerships for cyber security. Sen. Joseph Lieberman, chairman of the Homeland Security and Government Affairs Committee, has called for DHS to establish a cyber information-sharing mechanism with the private sector. In a similar vein, the U.S. director of national intelligence, Adm. Dennis Blair, wisely called recently for a "collaborative effort that incorporates both the U.S. private sector and our international partners."

Few public-private partnerships were in place when Hurricane Katrina hit in 2005, and this magnified the disaster. If Washington waits until a cyber Katrina to forge expanded cyber security partnerships, Americans could face an even greater tragedy.

Michael Hayden is a former director of the Central Intelligence Agency and the National Security Agency, and former principal deputy director of National Intelligence. He serves as a national security adviser to CSC, a private firm that provides technology enabled business solutions and services. Samuel Visner is vice president for Strategy and Business Development at CSC, where he leads cyber strategy, and an adjunct professor at Georgetown University. William Courtney, also with CSC, was U.S. ambassador to Kazakhstan and Georgia.

Copyright © 2021, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad