The Biden administration’s Executive Order on Cybersecurity contains positive broad strokes on the President’s vision for protecting America’s critical infrastructure. But public-private security collaboration is critical to this effort, and any true partnership must work both ways.
President Biden’s just released Executive Order on Improving the Nation’s Cybersecurity (EO) provides a much-needed look at the administration’s vision for protecting America from cyber-attacks. It could not come at a better time. With the country still reeling from last year’s SolarWinds hack, and the recent ransomware attack against Colonial Pipeline, it is impossible to overstate the importance of protecting our critical infrastructure against cybercriminals and hostile foreign actors. With a focus on secure cloud solutions, zero-trust architectures, and software supply chain security, the EO makes clear this administration views the cyber threat as a top national security priority.
Yet, the EO falls short on a crucial point. It continues asking private industry to freely and openly share breach and other cyber incident data with the government but provides no protection from legal liability and little in the way of reciprocal information sharing back. A one-way relationship does not equate to a true partnership and is not designed with success in mind.
Lack of Trust by Corporate America
The call for public-private cyber collaboration is not a new one. In fact, it has been a consistent theme for two decades, going back to President Bush’s 2003 National Strategy to Secure Cyberspace (NSSC) which called for a “public-private partnership.” In 2015, President Obama signed an Executive Order Promoting Private Sector Cybersecurity Information Sharing encouraging information sharing between government and the private sector. In 2020, President Trump signed an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure calling for greater engagement by critical infrastructure industries. Yet the inability to define what constitutes a reportable incident, the failure to lay out a federal notification standard that could be reconciled with the nation’s patchwork of state data breach laws, and the lack of protection from regulatory or civil exposure for companies who self-disclosed cyber incidents meant that the status quo continued despite these noble efforts.
Unfortunately, nothing in President Biden’s EO significantly changes this. There is still no clarity around what type of cyber incident would be subject to mandatory reporting or what agency would collect such information. The EO calls for “removing contractual barriers” to information sharing but provides no insights into how this would work in practice. And companies that step up and share cyber risk and breach information with the Department of Homeland Security, the Federal Bureau of Investigation, or the Department of Defense (DoD) continue to run the risk they themselves will become the target of government investigation, plaintiff’s lawsuits, and negative media coverage.
Limited Sharing from Government to Industry
There also remains little progress in enabling effective information flow from the federal government – particularly from the intelligence community (IC) – to the private sector. Following the terrorist attacks of September 11, 2001, the USA PATRIOT Act and other legislative and executive actions made great progress in tearing down the legal “wall” that impeded collaboration between intelligence and law enforcement personnel. They also significantly improved intra-governmental information sharing among the 18 organizations that comprise the IC. However, these actions did little to facilitate information from the IC to private industry relating to cyber and economic threats.
Part of the problem is over-classification, which impedes the scope and timing of information flow. Exchanging standards via the National Institute of Standards and Technology (NIST) and establishing a public-private sector Cybersecurity Safety Review Board to conduct after-action reports are great, but they do little to enable real-time cyber threat sharing. Another issue is that IC officials are so accustomed to safeguarding their offensive and defensive cyber capabilities that the concept of collaborating with the private sector is a foreign one. The experience of the National Security Agency (NSA) in protecting DoD systems undoubtably has valuable carryover to private industry, but legislative limitations on that agency’s domestic operations also serve as a limitation on its abilities to collaborate with private industry.
Need to Keep Building Bridges
President Biden’s EO contains much to be optimistic about – but it is only a first step and leaves a lot of open questions when it comes to public-private cyber collaboration. Some of what must come next will be legislative, such as a bipartisan effort currently before the Senate Intelligence Committee to provide limited immunity and privacy protections for companies subject to mandatory self-reporting. Part of it is cultural and will require a concerted effort by both sides to work together in good faith.
Many of us in the defense technology space have long advocated that public-private sector collaboration is key to driving innovative solutions, and that over-classification inhibits this. The same goes for cybersecurity in which critical infrastructure industries such as energy, financial services, and manufacturing have a tremendous amount to offer the IC in terms of cyber defense intelligence. But asking private industry to share information without providing protection or information in return will go only so far.
Contact SAP NS2 to learn how we’re innovating to provide government and regulated customers with a portfolio of capabilities, all designed to support your unique security requirements in the cloud.