Sharing of critical security information between the federal government and the private sector is an important part of protecting the nation's infrastructure and intellectual property from online attackers and thieves, but that knowledge flow isn't always smooth, NSS Labs said this week.
"It has been 10 years since the first national consensus emerged in the United States that more needed to be done to protect the national computer and communications infrastructure," NSS noted in a report.
"Yet," it continued, "we are still struggling to find and enable the right level of public/private cooperation and responsibility assignment to protect the nation's critical infrastructure, much of which is owned and operated by the private sector."
While acknowledging progress on information sharing in the financial services and defense industries, the report said much still needs to be done to enable near real-time situational awareness across the nation's critical infrastructure and to fully leverage U.S. government cyber intelligence capabilities for better protection.
The report found:
- Public and private sector actors often approach cybersecurity from different perspectives: government typically thinks in terms of worst-case scenarios, while the private sector thinks in terms of most likely outcomes.
- Private-sector participants require information that is specific, timely and actionable. Data provided by government sources can be generic, stale, heavily redacted or potentially classified.
- Liability concerns continue to retard broader public/private information sharing.
- Machine-to-machine cybersecurity information sharing is currently supported in only limited cases.
Although sharing implies transactions between equals, that's not the case with cybersecurity information, largely because public and private organizations have different wants and needs, and the government has the upper hand in getting what it wants.
"The whole goal of the private sector is to protect their intellectual property and the brand of their company," an author of the report, NSS Research Vice President Ken Baylor, said in an interview. "That's all they want to do.
"What the government wants to do is standardize how the private sector responds to cyber threats and make sure they respond well," he continued, "and that it's also a source of intelligence and information for them.
"What the private sector is absolutely terrified of is that the government will come in with a bunch of overreaching regulations that require them to do a bunch of things that aren't relevant to them, burdensome and of no value," he added.
A better understanding by government and industry of the relationship between security and compliance is important, added Phyllis Schneck, vice president and chief technology officer for the global public sector at McAfee. "A lot of dialog and collaboration is needed on how do we foster creative innovation to get the best security and not just compliance," she said in an interview.
Sign up for CIO Asia eNewsletters.