Graphic courtesy US Department of Defense
The holiday season is approaching and like millions of Americans, I will be using my credit card to purchase items that I don’t need. In doing so, I run the risk of having my information stolen.
Cyber-attacks are on the rise; just this year Macy’s, Saks Fifth Avenue, and Panera Bread (just to name a few), were hacked. According to a Shape Security report, 90 percent of these hacks began with malicious login attempts. 1
So, whose responsibility is it to safeguard our data and protect our cyber infrastructure? The answer is unclear, and unfortunately that means the answer is “no one.” A lack of communication and general distrust between the private and public sectors makes the problem even worse.
The true answer is that we need a hybrid framework to safeguard data and protect infrastructure. We need a partnership that incorporates both the government and the private sector to mitigate attacks, but also designates responsibility.
The current division of responsibility for cybersecurity between the government and the private sector is unclear, especially in open liberal democracies like ours. The DHS is authorized to protect private critical networks but lacks both the capabilities and the expertise.
The DoD and the NSA have both the ability and talent to defend our networks but do not have the required authority. They also lack the trust of the American people regarding cyber, particularly after the Snowden leaks.
Furthermore, the Internet is too big to be protected by any single agency.
On the other hand, a few companies have the expertise, e.g., Google. But much of the private sector consists of retailers with hardly any cyber experts. Additionally, they also lack the infrastructure or financial support to protect all networks. Moreover, companies have strong incentives not to disclose any cyber incidents publicly.
For one, they do not want to lose their customers’ trust nor be liable for negligence and mishandling private data.
A hybrid partnership framework for cybersecurity can benefit both parties. The government can recommend best practices and alert the private sector of cyber weaknesses and imminent attacks. The private sector can voluntarily adhere to recommendations and best practices.
This approach will make their networks safer and resilient to attacks. Additionally, the government can subsidize this program by setting aside some of the DoD’s budget. Incentives could take the form of a limitation on liability, tax breaks and grants for participating in the program.
This move will encourage database owners to discover and immediately report any cyber incidents.
One aspect of this framework should be an agreement between the NSA and private sector on the NSA’s collection of zero-day exploits. The NSA should opt to turn over less-useful zero-day exploits to companies who could patch them.
Currently, the NSA quietly collects and amasses large amounts of these exploits, and this has soured its relationship with the companies whose systems are vulnerable to them.
Lastly, the government alone cannot secure private networks. A government-imposed cybersecurity mandate will stifle innovation in a rapidly changing cyber environment. The public sector is notorious for falling behind the technological curve. Most importantly, a government-run Internet risks the danger of censorship and limits on freedom of expression.
The inspiration for this hybrid framework comes from The Federal Reserve system, a highly successful public-private partnership. We now need such a partnership for the Internet. Each benefits from the expertise of the other; each serves as a check and balance on the other.
This public-private partnership will provide a safety net, allowing innovation and free market flow without eroding our civil liberties. The US government created the Internet. But it was the private sector that built the infrastructure that brought it to our homes.
The responsibility to secure private networks shouldn’t solely fall on one or the other.
Public and private sectors must work together to protect our cyber infrastructure. Their partnership will keep us safe and secure our data. Their partnership will respect our cherished democratic ideals and values.
1 Shape Security, “2018 Credential Spill Report,” Second Annual Edition. Retrieved from; https://info.shapesecurity.com/rs/935-ZAM-778/images/Shape_Credential_Spill_Report_2018.pdf
Author: Gabriela López Case, graduate student at George Washington University, Elliott School of International Affairs.