How to build a public-private cybersecurity partnership for the modern era

Cyberattacks continue to be reported as a key business risk. In the recent World Economic Forum's Regional Risks for Doing Business 2019 report, survey respondents in six of the world’s 10-largest economies identified cyberattacks as their number one risk.

However, as distinct from other risks such as fiscal crises or energy price shocks, cyberattacks have a clear mitigation: cybersecurity. Yet despite a decade of rising spending, respondents do not have confidence in their ability to deliver sufficiently strong cybersecurity to mitigate the risk. Why is this?

One critical reason is a lack of knowledge and understanding about cybersecurity within even the largest commercial organizations. But how can this be, now that almost every organization has appointed a chief information security officer (CISO), and when perhaps (at least in the pre-COVID era) the world’s most intensive conference circuit allows the constant sharing of experience and best practice between them? The answer is that in every country, knowledge about how to deliver strong cybersecurity – cybersecurity that can really be trusted to mitigate the risk of cyberattacks – remains closely held within a tight government and national security community.

Governments have long had to protect their most sensitive systems against cyberattacks – often mounted by governments in other countries. And of course there is a mirror image: governments have experience of trying to mount cyberattacks on their rivals. Their approaches to defending their most critical systems are thus rooted in both critical necessity and practical experience. Those approaches are typically quite different from cybersecurity practices in the private sector.

It is widely believed that measures for defending the most sensitive government systems – for example, those holding classified secret information – are simple but impractical. Surely the systems are “air gapped” – not physically connected to less trusted systems, such as the internet? While this was once true, governments have since developed sophisticated bodies of practice and guidance on how connections between sensitive and untrusted systems can be delivered in ways that provide strong protection against cyberattacks.

In general, government agencies such as the US' NSA or the UK’s GCHQ have shared widely their cybersecurity expertise through forums such as the National Institute of Standards and Technology (NIST). But the connection of sensitive to untrusted systems – typically referred to as “cross domain solutions” – remains a poorly trodden frontier where knowledge is not widely shared, even among government services. Indeed, until recently, in most countries much of the information was classified and export-controlled. But with increasing political realisation that protecting often commercially-held critical infrastructure and services is today just as important as protecting military and diplomatic secrets, many governments are, in principle, now open to sharing their knowledge.

Few commercial cybersecurity professionals, however, know that this body of knowledge exists. Since it sits at the heart of how spies protect themselves from other spies, perhaps this is not surprising. Perhaps it is equally unsurprising that when the topic is communicated, incomprehension is perpetuated by language that can be prohibitive. Just as commercial security services are unfamiliar with government experience, so government services are frequently unfamiliar with the realities of today’s enterprise environment. Such differing starting points between the two communities means that communication is a barrier even when it is attempted.

Not all these strong security approaches originating from government services are yet practical for mainstream deployment; after all, only recently have products embodying these approaches started to become available to mainstream buyers. But commercial organizations need to assess these approaches against those promoted by incumbent technology vendors (who are, of course, far from being disinterested parties) and then work with start-ups and other innovators to develop the new products and capabilities they need.

Public-private partnerships have been central to the development of cybersecurity over the past decade, through the sharing of threat information between commercial organizations and historically secretive government agencies. The opportunity now exists for a new era of public-private partnership, for a new realm of information sharing.

Commercial organizations will need to push their government partners to share information about how the latter achieve strong cybersecurity for their most sensitive systems, and they will need to devote time to learning and assimilating unfamiliar material. On their part, governments have a number of responsibilities to make the sharing process effective and productive.

First, governments need to talk more openly about topics which have historically only been shared within a small community. There is a cultural element here for historically secretive organizations, and the parallels with threat intelligence sharing are clear: specific programmes and initiatives are required to open up public-private dialogue in an area where there has historically been little or none.

Second, governments need to understand that while many of their practices and experience may be relevant to commercial organizations, not all are. In particular, commercial organizations will be far more interested in protecting against attacks that affect business continuity – for example, protecting against ransomware – than they are in measures specific to the protection of secrets.

And thirdly, government security services need to recognize that the language they use internally fails to resonate with the commercial world, and that mutual incomprehension can be expected. The first job is to build partnership: to discover common terms and starting points that will enable effective communication, while identifying the critical differences that need to be navigated. For conversations in this area, even the most “obvious” assumptions are worth challenging.

Twenty years ago, no one outside government needed to know these high-security approaches. But in a world where businesses report cyberattacks as their number-one risk, it is unreasonable to expect businesses to defend against those attacks without a full understanding of their options. Ten years ago, awareness of cyber risk was low: public-private partnership for threat intelligence sharing has dramatically changed that and brought cyber risk to the top of the corporate agenda. With a new public-private partnership focused on the strong cybersecurity measures that can effectively mitigate the risk of cyberattacks, over the coming decade we can start to drive that risk back down.