How to build a public-private cybersecurity partnership for the modern era

cyber security-

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Henry Harrison, Chief Technology Officer, Garrison


  • In every country, knowhow about truly strong cybersecurity is held and protected by governments.
  • Given the increasing threat from and sophistication of cyberattacks on businesses, however, that must change.
  • Here’s how corporates and governments should take the first steps towards each other to build stronger cyber defences all round.

Cyberattacks continue to be reported as a key business risk. In the recent World Economic Forum’s Regional Risks for Doing Business 2019 report, survey respondents in six of the world’s 10-largest economies identified cyberattacks as their number one risk.

However, as distinct from other risks such as fiscal crises or energy price shocks, cyberattacks have a clear mitigation: cybersecurity. Yet despite a decade of rising spending, respondents do not have confidence in their ability to deliver sufficiently strong cybersecurity to mitigate the risk. Why is this?

 

One critical reason is a lack of knowledge and understanding about cybersecurity within even the largest commercial organizations. But how can this be, now that almost every organization has appointed a chief information security officer (CISO), and when perhaps (at least in the pre-COVID era) the world’s most intensive conference circuit allows the constant sharing of experience and best practice between them? The answer is that in every country, knowledge about how to deliver strong cybersecurity – cybersecurity that can really be trusted to mitigate the risk of cyberattacks – remains closely held within a tight government and national security community.

State craft

Governments have long had to protect their most sensitive systems against cyberattacks – often mounted by governments in other countries. And of course there is a mirror image: governments have experience of trying to mount cyberattacks on their rivals. Their approaches to defending their most critical systems are thus rooted in both critical necessity and practical experience. Those approaches are typically quite different from cybersecurity practices in the private sector.

It is widely believed that measures for defending the most sensitive government systems – for example, those holding classified secret information – are simple but impractical. Surely the systems are “air gapped” – not physically connected to less trusted systems, such as the internet? While this was once true, governments have since developed sophisticated bodies of practice and guidance on how connections between sensitive and untrusted systems can be delivered in ways that provide strong protection against cyberattacks.

The top 10 risks according to business leaders around the world
The top 10 risks according to business leaders around the world
Image: World Economic Forum 2019 Regional Risks for Doing Business report

In general, government agencies such as the US’ NSA or the UK’s GCHQ have shared widely their cybersecurity expertise through forums such as the National Institute of Standards and Technology (NIST). But the connection of sensitive to untrusted systems – typically referred to as “cross domain solutions” – remains a poorly trodden frontier where knowledge is not widely shared, even among government services. Indeed, until recently, in most countries much of the information was classified and export-controlled. But with increasing political realisation that protecting often commercially-held critical infrastructure and services is today just as important as protecting military and diplomatic secrets, many governments are, in principle, now open to sharing their knowledge.

Few commercial cybersecurity professionals, however, know that this body of knowledge exists. Since it sits at the heart of how spies protect themselves from other spies, perhaps this is not surprising. Perhaps it is equally unsurprising that when the topic is communicated, incomprehension is perpetuated by language that can be prohibitive. Just as commercial security services are unfamiliar with government experience, so government services are frequently unfamiliar with the realities of today’s enterprise environment. Such differing starting points between the two communities means that communication is a barrier even when it is attempted.

Not all these strong security approaches originating from government services are yet practical for mainstream deployment; after all, only recently have products embodying these approaches started to become available to mainstream buyers. But commercial organizations need to assess these approaches against those promoted by incumbent technology vendors (who are, of course, far from being disinterested parties) and then work with start-ups and other innovators to develop the new products and capabilities they need.

Public-private partnerships have been central to the development of cybersecurity over the past decade, through the sharing of threat information between commercial organizations and historically secretive government agencies. The opportunity now exists for a new era of public-private partnership, for a new realm of information sharing.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security – to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future – to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact us.

Commercial organizations will need to push their government partners to share information about how the latter achieve strong cybersecurity for their most sensitive systems, and they will need to devote time to learning and assimilating unfamiliar material. On their part, governments have a number of responsibilities to make the sharing process effective and productive.

Taking responsibility

First, governments need to talk more openly about topics which have historically only been shared within a small community. There is a cultural element here for historically secretive organizations, and the parallels with threat intelligence sharing are clear: specific programmes and initiatives are required to open up public-private dialogue in an area where there has historically been little or none.

Second, governments need to understand that while many of their practices and experience may be relevant to commercial organizations, not all are. In particular, commercial organizations will be far more interested in protecting against attacks that affect business continuity – for example, protecting against ransomware – than they are in measures specific to the protection of secrets.

And thirdly, government security services need to recognize that the language they use internally fails to resonate with the commercial world, and that mutual incomprehension can be expected. The first job is to build partnership: to discover common terms and starting points that will enable effective communication, while identifying the critical differences that need to be navigated. For conversations in this area, even the most “obvious” assumptions are worth challenging.

Twenty years ago, no one outside government needed to know these high-security approaches. But in a world where businesses report cyberattacks as their number-one risk, it is unreasonable to expect businesses to defend against those attacks without a full understanding of their options. Ten years ago, awareness of cyber risk was low: public-private partnership for threat intelligence sharing has dramatically changed that and brought cyber risk to the top of the corporate agenda. With a new public-private partnership focused on the strong cybersecurity measures that can effectively mitigate the risk of cyberattacks, over the coming decade we can start to drive that risk back down.

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Refugees in Greece: MEPs demand solidarity, warn about impact of health crisis

European Youth, quo vadis?

The US banks drive the developing world to a catastrophe

Ending use of chemical weapons in Syria: ‘still work to be done’, says UN disarmament chief

An introduction to ‘Eco-Medical Literacy’ and its importance in shaping expert medical professionals

UK economy in dire straits: leading banks now officially plan to Brexit too

Youth employment crisis easing but far from over

These 4 leaders are working to improve integration in Southeast Asia

As Libya talks resume in Geneva, UN negotiator seeks to overcome sticking points

Public Policies for LGBT in Brazil

UN Climate Action Summit concludes with insufficient EU and global pledges

‘Reef cubes’: could these plastic-free blocks help save the ocean?

The EU Parliament slams Commission on economic governance

To rebuild trust in the media, we must empower its consumers

Italy and Greece zeroed their fiscal deficits, expect Germany’s response

Sherpa climbers carried out the highest-ever spring clean. This is what they found

What companies gain by including persons with disabilities

“Be aware where you put your I Agree signature on and something else”; now Facebook by default opts you in an unseen private data bazar

The green hydrogen revolution has started, and it won’t be stopped

The EU resumes budget support assistance to the Republic of Moldova

The US repelled EU proposals on common rules for banks

This Kenyan company makes fuel from human poo

Erdogan vies to become Middle East Sultan over Khashoggi’s killing

Cities are especially vulnerable to COVID-19. These organizations are leading the urban response.

World Wildlife Day: UN chief urges ‘more caring’ relationship with nature

Statement by the Brexit Steering Group on UK paper on EU citizens in the UK

6 ways to ensure AI and new tech works for – not against – humanity

Budget MEPs back €1.6 million to help 400 former workers of Carrefour Belgium

Art, mental health and suicide: different strategies for increasing access to health services

Who may profit from the rise of the extreme right in the West?

Everything you need to know about the coronavirus

Thought AIs could never replace human imagination? Think again

Coronavirus: the truth against the myths

The scheming of Boris: win an election after a no-deal Brexit

The European Sting writes down the history LIVE from G20 Leaders’ Summit in Turkey

With 5 billion set to miss out on health care, UN holds landmark summit to boost coverage

How our food system is eating away at nature, and our future

UN court increases sentence of former Bosnian-Serb leader to life imprisonment

Harmonised Unemployment Rates (HURs), OECD – Updated: February 2020

Europe bows to Turkey’s rulers, sends Syrian refugees back to chaos

Meet the robot fighting back against coral reef destruction

Reimagining the future for skills: What we learned from young people

Brexit talks: Today the world to hear of a predictable failure

Climate Change and Human Health: Two Faces of The Same Coin

This team of Saudi women designed an award-winning app to make the Hajj safer

Leaders need hard data to make the hard decisions about sustainability

UN chief welcomes announcement by Emir of Qatar to allocate $50 million to support Syrian refugees, displaced persons

Brexiteer May gets lip-service from Trump and Turkish promises from Erdogan

Health privatisation: reviving Alma-Ata

‘Make healthy choices’ urges UN agency, to prevent and manage chronic diabetes

Digital distrust: We’re losing faith in technology to solve the world’s problems

Commission notifies the Republic of Panama over the need to step up action to fight against illegal fishing

War of words in Davos over Eurozone’s inflation/deflation

Successful carbon removal depends on these 3 conditions

Here are 5 new green laws coming into force in 2020

Top UN Syria envoy hails ‘impressive’ start to historic talks in Geneva

Inaction on obesity stands in the way of sustainable development

Coronavirus: First case confirmed in Gulf region, more than 6,000 worldwide

Commission caps charges on card and Internet payments and enforces competition

Tech companies could achieve much more by serving the common good. Here’s 3 steps they should take

More Stings?

Advertising

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s