CybersecurityCybersecurity requires better collaboration between private, public sectors

The U.S. government will always play an important role in cybersecurity, but it lacks the resources fully to defend the private sector in the digital realm, according to a new report from the GW Center for Cyber and Homeland Security.

The report, released Monday, offers a comprehensive assessment of the legal, policy, and technological contexts that surround private sector cybersecurity and active defense measures to improve the U.S. responses to evolving threats.

Akey difference between cybersecurity threats and other security threats is the mismatch between public and private capabilities and levels of authority in responding to these threats, the report says. The lack of government resources to defend the private sector from digital threats places businesses on the front lines of the cyber conflict and can put national security, economic vitality, and privacy at risk.

“Given the scale and scope of the cyber threat, the digital equivalent of building higher walls and deeper moats alone is a reactive strategy doomed for failure,” said Center for Cyber and Homeland Security Director Frank Cilluffo. “Businesses cannot simply firewall their way out of this problem and must instead have greater leeway to more proactively respond to cyber threats.”

GWU notes that the report calls for increased collaboration between the public and private sectors to use available tools more effectively to disrupt and deter cyber threats, noting the collaboration between the private sector and policymakers is long overdue.

The report recommends:

• Developing procedures for public-private coordination on active defense measures through existing industry-led cooperation.
• Amending the Computer Fraud and Abuse Act and the Cybersecurity Act of 2015 affirmatively to allow low- and medium-impact active defense measures.
• Developing C-suite level operational templates based on risk assessment, industry standards and best practices to integrate into broader cyber strategy and incident response protocols.

GWU says that the report draws on knowledge from an Active Defense Task Force of experts in the public and private sectors who are thought leaders in technology, security, privacy, law, and business. The task force examined current cybersecurity practices commonly found in the private sector and provided case studies that lay out the strengths and weaknesses of such practices in addition to less common, active defense measures.

The aim of the report is to help chart a constructive course forward through the complicated terrains of law, technology and policy as they relate to private sector active defense. The report also dissects the complex web of the legal gray areas of cyber defense that make it difficult for the private sector and policymakers to work together.

The report provides a new definition of active defense that reflects the evolution of cybersecurity capabilities and includes operation that will allow defenders to gather intelligence and policy tools aimed at deterring hacks. With proper balance, the private sector can be a vital player in ensuring the nation’s economic and national security, the report finds.

The study differentiates between active defense and “hacking back,” which refers to offensive cyber measures that are beyond the scope of what is defined as permissible activity in this report. It also balances the need to enable private sector active defense measures with other important considerations such as the protection of individual liberties, privacy and risks of collateral damage when implementing active defense.

“The framework that we provide in this report offers a sustainable path forward for responsible private sector active defense,” said Deputy Director of the GW Center for Cyber and Homeland Security Christian Beckner. “An informed and equipped private sector, supported by this framework, is necessary to improving America’s cybersecurity posture moving forward.”

— Read more in Into the Gray Zone: The Private Sector and Active Defense against Cyber Threats (GWU, Center for Cyber and Homeland Security, October 2016)