RSA: Working Together WorksBut making public-private partnerships function properly isn't always easy.
Working together is critical to managing cybersecurity risk successfully, but not everyone is on the same page when it comes to how to collaborate effectively, particularly when partnerships stretch across the divide between the public and private sector.
At the RSA Conference in San Francisco, Calif., on Tuesday, pretty much everyone sharing an opinion on the subject of security expressed support for sharing information and knowledge to counter cyber threats.
Scott Charney, Microsoft's corporate VP of trustworthy computing, called for collaborative defenses based on a public health model. William Lynn III, Deputy Secretary of Defense, urged building stronger collective defenses with our allies and better information sharing.
Howard Schmidt, Special Assistant to the President and White House Cybersecurity Coordinator, Philip Reitinger, Deputy Under Secretary for the Department of Homeland Security, and Patrick Gallagher, Deputy Under Secretary of Commerce for Standards and Technology and Director of NIST, all expressed support for collaboration and information sharing across the public and private sector to mitigate cyber security risk.
Though there's widespread agreement that cooperation represents the best defense against the dark arts, there's some heavy lifting required to get from theory to practice.
Lynn, in his keynote address, said that the even if the Department of Defense successfully executes its "Cyber 3.0" strategy, now in the final stages of review, it can't do it alone because most of the national critical infrastructure is in private hands. The Department of Defense has been pushing its senior IT managers to incorporate more practices from the commercial world and Lynn proposed that those in the private sector ought to be mindful of their role in the nation's network defense.
"In the cyber domain, soldiers are not the only ones on the front lines," he said. Civilians ought to take some responsibility for security, in other words.
Lynn suggested that some of the network defense resources provided by the military to the Department of Homeland Security could be made available to assist the private sector, but didn't offer any details about how this might work.
One of the pillars of the "Cyber 3.0" strategy described by Lynn involves marshaling both technology and people to maintain America's preeminence in cyberspace. But there's considerable concern that lack of human resources could hinder that goal.
Reitinger, in a town hall discussion, described cyber security as both a security issue and an economic issue. "It is the cybersecurity workforce of the future that is going to enable our country to succeed," he said, adding his voice to the chorus calling for stronger national efforts develop science, technology, engineering, and math talent.
"We have to make being a geek cool," he said.
Schmidt, during the same discussion, offered a few examples of successful attempts to connect the public and private sector, like the Cyber Storm III exercise last year. And Gallagher confirmed that effective collaboration is occurring at many levels in the government.
But Reitinger stressed that more needs to be done.
"It's just too hard to be secure," he said. "We've got to make it easier."
We have a long way to go, he said, because people don't always understand how to collaborate and share information effectively.
When they hear collaboration, he said, "Some people here think 'kumbaya' and walk out the door and nothing changes."