How to build a public-private cybersecurity partnership for the modern era

cyber security-

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Henry Harrison, Chief Technology Officer, Garrison


  • In every country, knowhow about truly strong cybersecurity is held and protected by governments.
  • Given the increasing threat from and sophistication of cyberattacks on businesses, however, that must change.
  • Here’s how corporates and governments should take the first steps towards each other to build stronger cyber defences all round.

Cyberattacks continue to be reported as a key business risk. In the recent World Economic Forum’s Regional Risks for Doing Business 2019 report, survey respondents in six of the world’s 10-largest economies identified cyberattacks as their number one risk.

However, as distinct from other risks such as fiscal crises or energy price shocks, cyberattacks have a clear mitigation: cybersecurity. Yet despite a decade of rising spending, respondents do not have confidence in their ability to deliver sufficiently strong cybersecurity to mitigate the risk. Why is this?

 

One critical reason is a lack of knowledge and understanding about cybersecurity within even the largest commercial organizations. But how can this be, now that almost every organization has appointed a chief information security officer (CISO), and when perhaps (at least in the pre-COVID era) the world’s most intensive conference circuit allows the constant sharing of experience and best practice between them? The answer is that in every country, knowledge about how to deliver strong cybersecurity – cybersecurity that can really be trusted to mitigate the risk of cyberattacks – remains closely held within a tight government and national security community.

State craft

Governments have long had to protect their most sensitive systems against cyberattacks – often mounted by governments in other countries. And of course there is a mirror image: governments have experience of trying to mount cyberattacks on their rivals. Their approaches to defending their most critical systems are thus rooted in both critical necessity and practical experience. Those approaches are typically quite different from cybersecurity practices in the private sector.

It is widely believed that measures for defending the most sensitive government systems – for example, those holding classified secret information – are simple but impractical. Surely the systems are “air gapped” – not physically connected to less trusted systems, such as the internet? While this was once true, governments have since developed sophisticated bodies of practice and guidance on how connections between sensitive and untrusted systems can be delivered in ways that provide strong protection against cyberattacks.

The top 10 risks according to business leaders around the world
The top 10 risks according to business leaders around the world
Image: World Economic Forum 2019 Regional Risks for Doing Business report

In general, government agencies such as the US’ NSA or the UK’s GCHQ have shared widely their cybersecurity expertise through forums such as the National Institute of Standards and Technology (NIST). But the connection of sensitive to untrusted systems – typically referred to as “cross domain solutions” – remains a poorly trodden frontier where knowledge is not widely shared, even among government services. Indeed, until recently, in most countries much of the information was classified and export-controlled. But with increasing political realisation that protecting often commercially-held critical infrastructure and services is today just as important as protecting military and diplomatic secrets, many governments are, in principle, now open to sharing their knowledge.

Few commercial cybersecurity professionals, however, know that this body of knowledge exists. Since it sits at the heart of how spies protect themselves from other spies, perhaps this is not surprising. Perhaps it is equally unsurprising that when the topic is communicated, incomprehension is perpetuated by language that can be prohibitive. Just as commercial security services are unfamiliar with government experience, so government services are frequently unfamiliar with the realities of today’s enterprise environment. Such differing starting points between the two communities means that communication is a barrier even when it is attempted.

Not all these strong security approaches originating from government services are yet practical for mainstream deployment; after all, only recently have products embodying these approaches started to become available to mainstream buyers. But commercial organizations need to assess these approaches against those promoted by incumbent technology vendors (who are, of course, far from being disinterested parties) and then work with start-ups and other innovators to develop the new products and capabilities they need.

Public-private partnerships have been central to the development of cybersecurity over the past decade, through the sharing of threat information between commercial organizations and historically secretive government agencies. The opportunity now exists for a new era of public-private partnership, for a new realm of information sharing.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security – to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future – to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact us.

Commercial organizations will need to push their government partners to share information about how the latter achieve strong cybersecurity for their most sensitive systems, and they will need to devote time to learning and assimilating unfamiliar material. On their part, governments have a number of responsibilities to make the sharing process effective and productive.

Taking responsibility

First, governments need to talk more openly about topics which have historically only been shared within a small community. There is a cultural element here for historically secretive organizations, and the parallels with threat intelligence sharing are clear: specific programmes and initiatives are required to open up public-private dialogue in an area where there has historically been little or none.

Second, governments need to understand that while many of their practices and experience may be relevant to commercial organizations, not all are. In particular, commercial organizations will be far more interested in protecting against attacks that affect business continuity – for example, protecting against ransomware – than they are in measures specific to the protection of secrets.

And thirdly, government security services need to recognize that the language they use internally fails to resonate with the commercial world, and that mutual incomprehension can be expected. The first job is to build partnership: to discover common terms and starting points that will enable effective communication, while identifying the critical differences that need to be navigated. For conversations in this area, even the most “obvious” assumptions are worth challenging.

Twenty years ago, no one outside government needed to know these high-security approaches. But in a world where businesses report cyberattacks as their number-one risk, it is unreasonable to expect businesses to defend against those attacks without a full understanding of their options. Ten years ago, awareness of cyber risk was low: public-private partnership for threat intelligence sharing has dramatically changed that and brought cyber risk to the top of the corporate agenda. With a new public-private partnership focused on the strong cybersecurity measures that can effectively mitigate the risk of cyberattacks, over the coming decade we can start to drive that risk back down.

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Non-performing loans: banks need to mitigate the risk of potential losses

The Americans are preparing for the next financial crisis

From farms to supermarkets: MEPs approve new EU rules against unfair trading

Google succumbs unconditionally to EU’s “right to be forgotten” ruling

Driving structural change through global value chains integration

Why saving our forests should be a global priority

EU officially launches its first naval mission against migrant smugglers

Scores killed in ‘barbaric’ attack on Mali village, UN chief urges restraint, calls for ‘dialogue’ to resolve tensions

How the gig economy can transform farms in the developing world

Doctors without borders

Germany fears that Americans and Russians want to partition Europe again

Climate action: 4 shifts the UN chief encourages Governments to make

Maduro ‘brings the truth’ about Venezuela to UN Assembly; says he is ready to meet US President Trump

2019 European Elections gets backing from professional footballers

Millions in Idlib ‘counting on your support to make the violence stop’, UN relief chief tells Security Council

Coronavirus update: UN addresses school disruptions, suspends public access to New York Headquarters

Mexico: Helping refugees go into business, a ‘win-win situation’, says UNHCR’s Grandi

Guarantee of mental health’s stability in times of pandemic

Here are 5 reasons why the ocean is so important

Immigrants make good entrepreneurs. This study proves it

ITU Telecom World Awards launches 2018 edition

Rare earths are the new battlefront in the US-China trade war. But what are they?

Venezuela: MEPs demand free presidential elections and an end to repression

Guatemala Dos Erres massacre conviction welcomed by UN human rights office

Burnout is a pandemic. Why don’t we talk more about it?

Exchanges of medical students and the true understanding of global health issues

EU’s new environmental policy on biofuels impacts both the environment and the European citizen

European Citizens’ Initiative: Commission registers ‘End the Cage Age’ initiative

Brexit negotiations: back to square one, tougher words, no good faith

New UN initiative to support financial systems that ‘work better for everyone, everywhere’

EU adopts €55 million support package for Syrian refugees and local communities in Jordan and Lebanon to mitigate coronavirus pandemic

UN News 2018 Recap: In Case You Missed It

Science is ‘key’ to pushing forward the 2030 Agenda, UN development forum told

A woman would have to be born in the year 2255 to get equal pay at work

We must move from egocentric to ecocentric leadership to safeguard our planet

New EU rules and guidance for a fairer online economy

Children are still dying in Yemen war, despite partial ceasefire, says UNICEF chief

Colourism: How skin-tone bias affects racial equality at work

State aid: Commission refers Greece to Court for failure to recover incompatible State aid from mining company Larco

3 ways digitalization will help end crime

Trump stumbles badly on his Russian openings; Europeans wary of Putin

What brands get wrong about China – and how to put it right

Call to revitalize ‘language of the ancestors’ for survival of future generations: Indigenous chief

Climate change: cutting the good by the root?

An economist explains what happens if there’s another financial crisis

Policymakers can ensure the 4IR is fairer than the last three

Far more needed to ‘confront the world’s climate emergency’, UN chief tells ASEAN Summit

This Japanese experiment shows how easily coronavirus can spread – and what you can do about it

Sassoli to EU governments: Rise to the challenge. Find new shared ways to finance our recovery

International community agrees on a road map for resolving the tax challenges arising from digitalisation of the economy

Madrid is banning high-polluting vehicles from the city centre

UN condemns ‘heinous’ suicide attack on education centre in Afghanistan

The Oslo model: how to prepare your city for the electric-vehicle surge

Where EU air pollution is deadliest

Trump ostracized by his party and world elites but still remains in course; how can he do it?

Electronic cigarette: a still controversial qualitative imbalance

A record number of College members travel to Addis Ababa for the 10th European Union-African Union Commission-to-Commission meeting

Why a multi-stakeholder approach is essential to our risk resiliency

Coronavirus (COVID-19) update: Busting the myth by looking at the facts

Global Leaders Take The Stage At MWC Shanghai 2019, in association with The European Sting

More Stings?

Advertising

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s