Deterring cyberattacks requires building a public-private partnership

Private cybersecurity researchers could benefit from information about intrusion attempts and details about vulnerabilities uncovered by government actors, and government agencies could benefit from up-to-date information about private cybersecurity innovations and the identification of vulnerabilities by private firms, the researchers say.

Although some existing laws would need to be revised to implement the proposal, “both sides could benefit from information sharing about different security measures and their rate of success,” Kesan said.

To emphasize the importance of cooperation, the paper presents case studies of two recent government proposals to address cyber threats: the proposed Cyber Intelligence Sharing and Protection Act (CISPA), and the presidential executive order that outlines procedures to establish voluntary cybersecurity standards.

Both proposals would create a way for qualified members of the private sector to obtain security clearances to receive classified cyber-threat information from the government, and CISPA also would allow the private sector to share cyber-threat information with government agencies.

According to Kesan, however, efforts to address cyber threats may be hindered if policymakers rely solely on voluntary compliance.

“Both CISPA and the executive order take a voluntary approach, and we argue that a purely voluntary mandate is undesirable in both contexts,” Kesan said.

Under each system as currently proposed, participation by private firms is purely voluntary and there is no penalty for non-compliance.

“Voluntary programs can be effective in some situations, but they may ultimately be interpreted only as aspirational guidelines,” Kesan said. “In the sensitive context of cybersecurity, aspirational guidelines for security standards could lead to low levels of compliance, the withholding of valuable information by those who do not participate, and a greater risk of overshare by those who do participate.”

On the other hand, mandatory programs with effective enforcement mechanisms are likely to result in higher levels of compliance, the authors note. This may be especially true when the program concerns highly complicated subject matter, as previous research has indicated that voluntary compliance may not be as effective in those situations.

“Government intervention with the free market should be minimized, but when cybersecurity issues have implications for national security, some degree of mandatory regulation would be beneficial,” Kesan said. “The Obama administration recognized this through the issuance of the executive order on improving critical cybersecurity infrastructure, and Congress has recognized this as well.”

Unfortunately, cybersecurity has proved to be a much more partisan issue than it should be, and Congress has not yet come together to take meaningful steps to protect the cyber infrastructure, Kesan said.

“Advocates for private enterprise have discouraged the imposition of meaningful cybersecurity requirements on privately owned critical infrastructure, while advocates for civil liberties and privacy invariably react with alarm to regulation that involves the collection of information about threats,” he said.

Both Kesan and Hayes believe it is unlikely that Congress will pass effective cybersecurity legislation in the current session, which is scheduled to end on January 3, 2015. Although the presidential executive order and their proposed cybersecurity framework could provide some helpful first steps, the authors say that it is neither feasible nor desirable to rely solely on executive power to shore up the cyber defenses of the government and the private sector.

“Ideally, our proposed cybersecurity framework would be implemented alongside supporting legislation to ensure that cybersecurity actions and standards are subject to the checks and balances of our system of government,” Kesan said. “CISPA could be easily revised to accompany our framework.”

The authors also contend that it is important to ensure that this issue is subject to deliberate and careful decision-making by policymakers before a massive cyber catastrophe forces the government to act quickly and without adequate safeguards. They point to the history of the Patriot Act, which was hastily passed in the aftermath of 9/11, and has been the target of significant criticism on civil liberties grounds over the last thirteen years.

“It’s vital that these issues are addressed soon while there is still a chance to prevent a catastrophic cyber event,” Kesan said. “It would be ill-advised to rely solely on executive power or on legislation that is hastily drafted and enacted after an emergency.”