12 March 2018

Who’s In Control? Balance and Power of Cyber Partnership

JASON HEALEY

For over 20 years, these initiatives have been critical to a range of cybersecurity solutions. Perhaps 85 percent of the critical infrastructure (the number varies depending on who is doing the guessing) is owned by the private sector, so government cannot do it on its own.  The first White House cyber strategy of 2003, for example, said the “cornerstone of America’s cyberspace security strategy is and will remain a public-private partnership” and used the word “partner” or “partnership” over 60 times. But while there have been various frameworks and analogies for successful PPPs, there have been few which compare the fundamental relationship of control between the public and private sectors. This ignores key questions: Which sector has the presumptive legitimacy to deal with the issue? Which sector holds the key decision makers? Which sector has the most relative strength to fix the problem?

There are three obvious archetypes: government-led partnerships; balanced partnerships; and private-sector led.

Balance of Power

In many partnerships, the government is presumed to have superior knowledge or ability or authority to act. Some of these may not be PPPs as such, but often are labeled partnerships in strategies and testimony. These fall into four types: nationalize, mobilize and control; control, compel and regulate; orchestrate; and individual enrollment.

In these PPP models, the government sets the tune and deputizes, directs or enrolls the private sector “partners” who are along for the ride. Using authorities from the Telecommunications Act or Defense Production Act, the government can order the industry to comply. But this category also includes relying on Defense Industrial Base companies for consultants or hub-and-spoke information sharing programs where the private sector will “submit indicators of observed cyber threats” to the government before being further shared.

In other models, there is more balance between public and private sectors, such as exchanges of personnel like IT Exchange Program or botnet takedowns like GameOver Zeus. We can be a bit generous by adding Sector Coordinating Councils (SCCs) and Government Coordinating Councils – such as the FSSCC and FBIIC of the finance sector. But it’s a forced fit here, as the government is usually also the regulator. The Dutch are leaders here, essentially applying a multi-stakeholder governance model to domestic cybersecurity decisions.

In the third category of PPPs, the private sector has the clear lead. One approach might be called “supported command.” The government helps as best it can, using its unique abilities, strengths and authorities, such as informing companies if there is intelligence they have been hacked or using diplomatic channels to help mitigate attacks. However there will still be times where the private sector is fully on its own, because the government may not be willing or able to provide any support.

Which is Best?

It depends, but less than you might think.

Each model illustrates varying advantages and disadvantages. It might be natural to assume that “balanced approaches” would be the ideal kind of PPP. But they are only best for a limited set of issues where the public and private sectors are evenly matched in capabilities.

In A Fierce Domain, my history of cyber conflict, it is clear the U.S. government has three key advantages: massive resources; staying power; and access to other levers of power, such as indictments, sanctions, or violence. The private sector brings agility and subject matter expertise, of course, but because it is creating and maintaining cyberspace, it has an ability to bend it if needed.

Government-led PPPs make the most sense in a few areas: regulation in the face of market failure; direct support for other federal missions, like contracting to develop special capabilities for espionage or offensive missions; active defense or coercive diplomacy against nation-state attackers, and strategic cyber warfare.

But government is least effective when it tries to put itself at the center of the action, when it lacks, and likely can never develop, the needed capabilities. In most partnerships, it should be the private sector which has the lead. General Michael Hayden, former director of NSA and CIA, is a proponent of this approach: “The main effort for American cyber defense is the private sector. And the role of government is to do those things that only government can do, and then for the other 98 percent of the problems we have is to be an enabler for the private sector to be the best that we can be.”

Yet the U.S. government all too often ignores these strengths. At a recent conference, a senior military cyber officer insisted on a “partnership” that was in fact, incredibly one-sided: a U.S. bank would not be meeting the government halfway if it did not agree to allowing military sensors on its network.

The White House should accordingly develop a new cybersecurity strategy to push these concepts, or at least authorize new partnerships meant to be private sector-led. The issuance of Executive Order 13800 and support to the most-critical “Section 9” companies, such as through the Financial Systemic Analysis & Resilience Center, builds on the best work of earlier work.

The U.S .government must not fall into the trap of imagining it will be the center of cyber defenses, even when in a high-end cyber conflict. The private sector will be the ones in the trenches, looking back for support, not orders.

The private sector runs the vast bulk of critical infrastructure and cyber defenses. The vast bulk of partnerships should lean this way as well.

This piece is based on a longer essay, “Who’s in Control: Balance in Public-Private Sector Partnerships,” published by the Georgetown Journal of International Affairs.

No comments: