Last week, I spoke to two groups of chief information security officers (CISOs). While I went in to talk about some of the information sharing initiatives I worked on while I was in government, I was surprised that they were more interested in getting a better understanding of the strategy that is driving the Obama administration.
Questions were along the lines of “what is government going to do and what does government expect the private sector to do in a cyber incident?”
I was caught a little off guard as I thought this fell into the “asked and answered” category, at least in the cyber community in Washington, D.C. Michael Daniel, the president’s cybersecurity coordinator (and my old boss) has been pretty solid on this point.
Daniel’s 2013 speech at the RSA conference lays it out clearly: Private companies are responsible for their own network defense—the government’s job is to help them protect themselves. Jay Healey at the Atlantic Council refers to this as a “private sector-centric” approach. I like to call it the “Home Depot” model: You can do it; we can help!
Under current policy, private companies should be able to count on the government to do the things that only government can do:
- Investigate and prosecute cybercrime;
- Apply diplomatic pressure on countries to stop engaging in economic espionage and to investigate cyber crime;
- Use economic sanctions selectively when diplomacy fails;
- Provide threat and vulnerability information that companies need to protect themselves collected through intelligence and other means; and
- Defend the United States from significant, national events.
One CISO summed up the approach as “private sector, drop dead” (New York is a rough audience). That conclusion implies that government once was responsible for protecting the private sector in cyberspace and now is not. Yet, it was never the case that government assumed this responsibility and for good reason.
Private companies are responsible for their own network defense because they own the networks—from the smart phone to the backbone. No federal agency is sitting on their network looking for each and every bad packet to filter them out. The federal government has spent the last thirty-plus years getting out of the business of running the Internet (with any luck the Commerce Department will complete the last piece this fall). Getting back into the core functions of the Internet for security, would reverse that trend, not to mention cause significant concerns over privacy and civil liberties and likely lead to significant questions over the First and Fourth Amendments. If the U.S. government took that approach, it’s also not likely to work terribly well.
Instead of direct government intervention, the Obama administration has taken an approach of trying to get the markets correctly aligned to value cybersecurity. That’s the approach taken with the National Strategy for Trusted Identities in Cyberspace, the National Institute of Standards & Technology Cybersecurity Framework, and the recent executive order on improving information sharing. High profile breaches and state disclosure laws have also had a significant effect.
And, we can already see the market starting to turn. According to Gartner, cybersecurity spending is growing at nearly 10 percent a year versus about 3 percent for overall IT spending. This growth has attracted Silicon Valley talent and east and west coast venture funding. New products and technologies are coming to market that address long standing problems at reduced cost.
To sum up, the current strategy makes private companies responsible for their own network defense. The federal government will support the private sector by doing the things that only the federal government can do. The federal government will then encourage the private sector to make good investments in cybersecurity. That’s it.
In future posts, I’ll explore alternatives to this approach and why they are all worse ideas.