Why can’t the public security sector and the government get along?

See what the private sector thinks are the issues holding back a better relationship with the government.

01 intro
Credit: Derek Keats
At loggerheads

As cyber threats increasingly represent one of the main dangers to national security, government offices are upping their efforts to more closely align with the expertise of the private sector. However, the divide between government and the security industry presents several challenges when looking to form partnerships with the goal of improving cybersecurity. In order to illustrate what it will take to move forward with these partnerships, security professionals provide their opinions on the main roadblocks for collaboration between the private and public sectors.

02 government
Credit: Greeblie
Government doesn’t have all of the answers

Jeff Schilling, CSO, Armor:

"Civilian security executives have a misperception that the government is withholding the good security intelligence which would allow them to be better protected. The truth is that government does not aggregate and package security data that is consumable or actionable for civilian use. Most of the good threat intelligence collected by the government is low density and highly targeted on the most sophisticated cyber threat actors. This threat intelligence has a very short time of value because the most sophisticated actors change their approach quite often, and in most cases can’t be shared due to the classified nature of how it is acquired.

03 legislation
Legislation and regulations are not helpful driving the desire to share

Schilling continues: “We have seen Congress struggle to gain consensus to pass even basic legislation on cyber security sharing. Businesses are worried about their liability if they share that they have been compromised. Government agencies and Congress can’t seem to balance basic sharing frameworks with privacy concerns brought to bear by lobbying groups. When you examine the most successful collaborative environments, they normally spring up because of a need and form sharing groups in an ad hoc manner. We seem to be stuck in cyber security, not knowing how to start the conversation with each other.”

04 classification
Credit: Glyn Lowe
The classification of data

Lisa Donnan, Vice President of Federal, BeyondTrust:

"The government has unique access to cyber threat indicators and information, and information of this nature is challenging to share with the private sector in real time. Although the DHS has put the structure in place to overcome this obstacle without enabling technologies like STIX and TAXII, Automated Indicator Sharing (AIS) is still challenged to provide real time dissemination of relevant and actionable cyber threat indicators between the public and private sector.

05 protection
Protection and Privacy

Donnan continues: “In order for a partnership to work, both private and public sectors' interests need to be represented and agreed upon with outcomes met. Nothing could be further from that right now, as evidenced by the chasm between Apple and the FBI. The private sector, along with privacy and civil liberties groups, worry that if regulations and congressional oversight do not keep the government in check, it will overstep its authority to access and collect identifiable information.”

06 difficulty
Credit: Bernd Zube
Difficulty of information sharing

Andrew Wertkin, CTO, BlueCat:

"The difficulty of information sharing between the public and private sectors is one of the key impediments in improving cybersecurity. Private and public sectors have different priorities and disparities in the way they see their roles in cybersecurity, which makes the relationship ambiguous and leaves the partnership often without clearly defined shared value."

07 list
A list of what needs to be done

Mike Orosz, Manager of Threat and Investigative Services, Citrix:

"The below offers some outside-insight into how some perceived challenges can be overcome:

  • Uniting public/ private sector cyber security experts, though vendor/ customer relationships

◦     Companies who engage the government in business have expertise to share and should actively seek out opportunity to improve secure product implementation

◦     Government agencies can facilitate private sector collaboration opportunities, right in their own backyard, by actively engaging the companies they do business with   

  • Three letter agency collaboration – highly-cleared cyber professionals are willing to give their expertise to support the most sensitive and critical government missions

◦     Industry security experts are willing to share insights directly with government stakeholders and collaborate at the classified level 

◦     A portal where cleared professionals can log in and view collaboration opportunities would speed up this process

  • Leverage industry associations and government/ industry events as venues for collaboration

◦     Private sector security experts should attend association-sponsored events to make contacts and share experiences

◦     Armed Forces Communications and Electronics Association (AFCEA) offers many great events to meet a variety of government stakeholders

08 methods
Methods, communication, and funding

J.J. Thompson, founder and CEO, Rook Security:

 "The primary roadblocks are methods, communication, and funding. 

  • Methods: government trips over itself to try to accomplish things without having the expertise needed, but with everyone wanting to be attached to sexy cyber initiatives. To be successful, agencies wishing to have improvements in cyber security need to create agile teams that are autonomous and follow traditional private sector approaches, which are then integrated using government methods. 
  • Communication: government tries to build interest, create a working group, attach everyone and their brother to the working group, then identify private industry partners to work on a strategy. Then hire a firm to tell the group of experts what the strategy will be, then go to bid with traditional IT contractors who have no idea how to be successful with cyber security only to watch the initiative fail. By the time all of this takes place, an agile private sector team could have been successful with one-third of the resources in half the time. 
  • Funding: government tries to attach funding to trusted vendors who are on schedule or are in their system. It is assumed that if someone can run databases, that is IT, and security is IT, so companies that can be successful with putting bodies in seats for databases can also be successful with cyber security. Not so. Funding cyber security is not cheap. It is incredibly hard to maintain talent in these lower cost roles and therefore government will continue to fail to produce results until funding is aligned with the expertise to produce positive outcomes. 
09 scale
Credit: Mike Warot
Scale, standards and trust

John Davis, VP & Federal CSO at Palo Alto Networks:

1. Scale: There are no systems built to share at volume. We tend to share info around one adversary campaign every once in a while. What we need to be able to do is to share intelligence on 5,000 campaigns in real time every day.

2. Standards: At last count there were 40 or more different standards that the community uses to share intelligence with other parties. It is tough to share intelligence if all the participating parties can’t consume it.

3. Trust: There is a great deal of trust that must be in place to share cyberthreat information, and there must be faith that the government will not mishandle the information in such a way that paints the cyberthreat information sharer in a bad light.

10 legal
Legal action, declassification and privacy misconceptions

Davis continues:

1. Fear of Potential Legal Action: There is a fear, valid or not, the sharer will get sued for sharing “privacy” related information whether they intentionally did so or not. While the new Cybersecurity Act of 2015 is intended to reduce this concern within the United States, both the domestic implementation of this law and its reception internationally are critical next steps.

2. Declassification: The government tends to "over-classify" information from both internal and external sources. It takes a significant effort —and valuable time — to declassify that same information to share with the public.

3. Privacy Misconceptions: Both the government and the private sector worry that sharing intelligence on “Bad Guy” tactics is somehow privacy related. They both worry that somehow intelligence sharers will intentionally or unintentionally share personally identifiable information (PII) and intellectual property (IP) along with the intelligence on the “Bad Guy.” While that may happen by mistake on an infrequent basis, it is certainly not the norm.