How to build a public-private cybersecurity partnership for the modern era

cyber security-

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Henry Harrison, Chief Technology Officer, Garrison


  • In every country, knowhow about truly strong cybersecurity is held and protected by governments.
  • Given the increasing threat from and sophistication of cyberattacks on businesses, however, that must change.
  • Here’s how corporates and governments should take the first steps towards each other to build stronger cyber defences all round.

Cyberattacks continue to be reported as a key business risk. In the recent World Economic Forum’s Regional Risks for Doing Business 2019 report, survey respondents in six of the world’s 10-largest economies identified cyberattacks as their number one risk.

However, as distinct from other risks such as fiscal crises or energy price shocks, cyberattacks have a clear mitigation: cybersecurity. Yet despite a decade of rising spending, respondents do not have confidence in their ability to deliver sufficiently strong cybersecurity to mitigate the risk. Why is this?

 

One critical reason is a lack of knowledge and understanding about cybersecurity within even the largest commercial organizations. But how can this be, now that almost every organization has appointed a chief information security officer (CISO), and when perhaps (at least in the pre-COVID era) the world’s most intensive conference circuit allows the constant sharing of experience and best practice between them? The answer is that in every country, knowledge about how to deliver strong cybersecurity – cybersecurity that can really be trusted to mitigate the risk of cyberattacks – remains closely held within a tight government and national security community.

State craft

Governments have long had to protect their most sensitive systems against cyberattacks – often mounted by governments in other countries. And of course there is a mirror image: governments have experience of trying to mount cyberattacks on their rivals. Their approaches to defending their most critical systems are thus rooted in both critical necessity and practical experience. Those approaches are typically quite different from cybersecurity practices in the private sector.

It is widely believed that measures for defending the most sensitive government systems – for example, those holding classified secret information – are simple but impractical. Surely the systems are “air gapped” – not physically connected to less trusted systems, such as the internet? While this was once true, governments have since developed sophisticated bodies of practice and guidance on how connections between sensitive and untrusted systems can be delivered in ways that provide strong protection against cyberattacks.

The top 10 risks according to business leaders around the world
The top 10 risks according to business leaders around the world
Image: World Economic Forum 2019 Regional Risks for Doing Business report

In general, government agencies such as the US’ NSA or the UK’s GCHQ have shared widely their cybersecurity expertise through forums such as the National Institute of Standards and Technology (NIST). But the connection of sensitive to untrusted systems – typically referred to as “cross domain solutions” – remains a poorly trodden frontier where knowledge is not widely shared, even among government services. Indeed, until recently, in most countries much of the information was classified and export-controlled. But with increasing political realisation that protecting often commercially-held critical infrastructure and services is today just as important as protecting military and diplomatic secrets, many governments are, in principle, now open to sharing their knowledge.

Few commercial cybersecurity professionals, however, know that this body of knowledge exists. Since it sits at the heart of how spies protect themselves from other spies, perhaps this is not surprising. Perhaps it is equally unsurprising that when the topic is communicated, incomprehension is perpetuated by language that can be prohibitive. Just as commercial security services are unfamiliar with government experience, so government services are frequently unfamiliar with the realities of today’s enterprise environment. Such differing starting points between the two communities means that communication is a barrier even when it is attempted.

Not all these strong security approaches originating from government services are yet practical for mainstream deployment; after all, only recently have products embodying these approaches started to become available to mainstream buyers. But commercial organizations need to assess these approaches against those promoted by incumbent technology vendors (who are, of course, far from being disinterested parties) and then work with start-ups and other innovators to develop the new products and capabilities they need.

Public-private partnerships have been central to the development of cybersecurity over the past decade, through the sharing of threat information between commercial organizations and historically secretive government agencies. The opportunity now exists for a new era of public-private partnership, for a new realm of information sharing.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security – to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future – to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact us.

Commercial organizations will need to push their government partners to share information about how the latter achieve strong cybersecurity for their most sensitive systems, and they will need to devote time to learning and assimilating unfamiliar material. On their part, governments have a number of responsibilities to make the sharing process effective and productive.

Taking responsibility

First, governments need to talk more openly about topics which have historically only been shared within a small community. There is a cultural element here for historically secretive organizations, and the parallels with threat intelligence sharing are clear: specific programmes and initiatives are required to open up public-private dialogue in an area where there has historically been little or none.

Second, governments need to understand that while many of their practices and experience may be relevant to commercial organizations, not all are. In particular, commercial organizations will be far more interested in protecting against attacks that affect business continuity – for example, protecting against ransomware – than they are in measures specific to the protection of secrets.

And thirdly, government security services need to recognize that the language they use internally fails to resonate with the commercial world, and that mutual incomprehension can be expected. The first job is to build partnership: to discover common terms and starting points that will enable effective communication, while identifying the critical differences that need to be navigated. For conversations in this area, even the most “obvious” assumptions are worth challenging.

Twenty years ago, no one outside government needed to know these high-security approaches. But in a world where businesses report cyberattacks as their number-one risk, it is unreasonable to expect businesses to defend against those attacks without a full understanding of their options. Ten years ago, awareness of cyber risk was low: public-private partnership for threat intelligence sharing has dramatically changed that and brought cyber risk to the top of the corporate agenda. With a new public-private partnership focused on the strong cybersecurity measures that can effectively mitigate the risk of cyberattacks, over the coming decade we can start to drive that risk back down.

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Global OECD welcomes Colombia as its 37th Member

COVID-19: Managing Our Mental Health

How a 3-point plan could help rebuild business for the long-term

The EU can afford to invest trillions in support of employment

Italian voters put again the European Peoples in the Brussels picture

The UK to split if May’s hard or no-deal Brexit is pursued

EU budget: Commission proposes major funding increase for stronger borders and migration

Commission launches new edition of the Cultural and Creative Cities Monitor 2019

Apple Vs. EU: Will the US tech giant ever pay for taking advantage of Ireland’s taxation?

‘Path to peace’ on Korean Peninsula only possible through diplomacy and full denuclearization: US tells Security Council

Remembering Kofi Annan

Service and Sacrifice: Guinean peacekeepers make their mark in Mali

Parliament sets conditions on EU-China investment deal

The future of manufacturing is smart, secure and stable

10 technology trends to watch in the COVID-19 pandemic

Overcoming the paralysis of trust management across a fractured IT landscape

Using CO2 as an industrial feedstock could change the world. Here’s how

Our health workforce: A light in the dark

Top UN court rules it has jurisdiction to hear Iranian claim against US over frozen assets

‘Democratic aspirations of the Sudanese people’ must be met urges Guterres, following military removal of al-Bashir from power

EU launches WTO challenge against Indonesian restrictions on raw materials

‘No shortcuts to a healthier world’: WHO chief sets out health priorities for the decade

UN chief extends condolences to families of China landslide casualties

Future Africa-Caribbean-Pacific States/EU Partnership: “Post-Cotonou” negotiations resume at ministerial level

Recreational cannabis poses ‘significant’ health challenges to youth: drugs control body

COVID-19 put 1.6 billion children out of school. Here’s how to upgrade education post-pandemic

Feeding families remains complex task in war-torn Syria – UN relief agency

Agreement on linking the emissions trading systems of the EU and Switzerland

African cooperation on peace ‘increasingly strong’, Security Council told

How tech companies compare at protecting your digital rights

After swallowing effortlessly the right to be forgotten time for Google Ads now to behave

Brexit: Ensuring a smooth transition for car producers and safety on the roads

Easing funding woes for UN agency assisting Palestine refugees a ‘wise investment for today and the future’

Ambassador Zhang Ming: “Work Together for a Better Globalization”

This woman changed the world of work – and you’ve probably never heard of her

Indonesia has a plan to deal with its plastic waste problem

How to navigate a stop-and-start pandemic economy

China greenlights first underwater high-speed railway

GSMA Mobile 360 – Africa: Rise of the Digital Citizen, Kigali 16 – 18 July 2019, in association with The European Sting

Egypt urged to free prominent couple jailed arbitrarily since last June: UN rights office

What have the banks done to the markets making them unable to bear cheap oil?

3 ways China is using drones to fight coronavirus

This Japanese concept will help you see the world – and learn – in a different way

These are the 4 most likely scenarios for the future of energy

A ‘strong and united Europe’ has never been more needed, declares UN chief Guterres

250+ senior claims leaders under one roof, exchanging transformation strategy

These 5 charts reveal the gender and diversity gaps start-ups must bridge

The business case for diversity in the workplace is now overwhelming

One person dies by suicide every 40 seconds: new UN health agency report

UNICEF chief hopes 2020 will be ‘a year of peace’ for Syria’s children

Vulnerable children face ‘dire and dangerous’ situation on Greek island reception centres, UNICEF warns

Draghi hands over to banks €77.7 billion more

‘Words must never be met with violence’ urges UN, following Taliban threat to journalists

2030 development agenda: Major breakthrough for world of work

Women Win in the West

Achieving targets on energy helps meet other Global Goals, UN forum told

2019 data on official development aid & online discussion of ODA’s role in the Covid-19 crisis

First peaceful transfer of power in DR Congo ‘an extraordinary opportunity’ for advancing rights

Yemen: 11 more ‘terrible, senseless’ civilian deaths reported, following attack in Sana’a – top UN official

Germany openly seeks more advantages for its banks

More Stings?

Advertising

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s