Public/Private Partnerships in Cyberspace

Stephen DeAngelis

November 4, 2008

It’s election day in the United States. If you are an eligible voter and haven’t yet exercised your right to vote, I encourage you to do so. The politicians who are elected today are going to face serious challenges in the days ahead, including cyber security issues. Recently I wrote a post about international efforts to thwart groups that are creating botnets to spread spam and other malicious programs [see An Update on Zombies]. In that post, the International Botnet Taskforce, which includes government and law enforcement agencies, computer security companies and academics, was mentioned as one group that plays a significant role in countering the botnet challenge. Walter Pincus, writing in the Washington Post, reports that the U.S. Government is interested in taking public/private partnerships to the next level in this area [“Partnering for Cyberspace Security,” 3 November 2008]. The man behind this new push is Donald Kerr, principal deputy director of national intelligence. According to Pincus, Kerr “has called for a radical new relationship between government and the private sector to counter what he called the ‘malicious activity in cyberspace [that] is a growing threat to everyone.'” Pincus reports that Kerr’s calls for action were contained in two recent public speeches.

“Kerr said the most serious challenge to the nation’s economy and security is protecting the intellectual property of government and the private sector that is the basis for advancements in science and technology. ‘I have a deep concern … that the intelligence community has still not properly aligned its response to what I would call this period of amazing innovation — the “technological Wild West” — by grasping the full range of opportunities and threats that technology provides to us,’ he said at the annual symposium of the Association for Intelligence Officers on Oct. 24.”

Kerr goes on to insist that the reason public/private partnerships are required is that nefarious activities are no longer primarily government against government activities.

“Major losses of information and value for our government programs typically aren’t from spies . . . In fact, one of the great concerns I have is that so much of the new capabilities that we’re all going to depend on aren’t any longer developed in government labs under government contract.” Calling for ‘a fundamental rethinking of our government’s traditional relationship with the private sector,’ Kerr said that ‘a high percentage of our critical information infrastructure is privately owned, and both government and industry must recognize that an individual vulnerability is a common weakness.'”

Early company literature I wrote for Enterra Solutions talked about this very problem — that much of the critical infrastructure needing protection is privately owned. As a result, I have been a long-time proponent of public/private cooperation to help protect such assets. Continuing his reporting on Kerr’s speeches, Pincus writes:

“Hackers steal proprietary information, shut down systems and corrupt the integrity of information by inserting erroneous data, he said. He described ‘supply-chain attacks’ in which adversaries plant vulnerabilities in communications hardware and other high-tech equipment ‘that can be used later to bring down systems or cripple our infrastructure.’ Kerr offered some far-reaching solutions in a talk [on 29 October] during another symposium, sponsored by the Office of the National Counterintelligence Executive, which is part of his organization. One approach would have the government take equity stakes in companies developing technical products, in effect expanding the practice of In-Q-Tel, the CIA entity that invests in companies. Another proposal is to provide the same protective capabilities applied to government Web sites, ending in .gov and .mil, to the private industry’s sites, ending in .com, which Kerr said have close to 98 percent of the nation’s most important information. He also suggested that the government ask insurers whether they cover ‘a failure to protect intellectual capital.’ That way, Kerr said, the insurers, through their premiums, ‘provide an incentive for companies, in fact, to pay attention to protecting their intellectual property.'”

Kerr’s overriding point is that we are still using twentieth century methods to fight twenty-first century challenges. This has created what I have called a complexity gap. One of the reasons I started Enterra Solutions was to help address this complexity gap and, in the process, make organizations more resilient. Kerr admits that old approaches no longer work.

“In the past, Kerr said, when the director of central intelligence or the FBI chief faced similar problems, they would meet privately with leaders of companies involved in new technologies, seeking cooperation and perhaps access to their products. ‘What’s the modern equivalent of what used to be done?’ Kerr asked. ‘We have a responsibility … to help those companies that we take an equity stake in or those that are just out there in the U.S. economy, to protect the most valuable assets they have, their ideas and the people who create them,’ he said.”

Kerr is right to worry about protecting U.S. assets, but even that vision is too narrow. The International Botnet Taskforce is “international” because networks know no boundaries. It’s one of the reasons that the old method of trying to co-opt technology companies into working with a single government no longer works. Such companies would be much more likely to cooperate if approached by an international group that can offer them global benefits for working together. Kerr, of course, has a limited portfolio and must do his best to achieve results within it. The next president, whose name we’ll know later tonight, needs to ensure that this topic is among those he discusses with other world leaders.