By: Caroline Lawrence, JD / YLS ‘21
One thing is clear from the recent Solar Winds attack: in at least some instances, cybercriminals do not discriminate among the public and the private in choosing targets. Victims of the Solar Winds breach included large firms such as Microsoft, Intel, and Cisco, as well as numerous government agencies, including the Departments of Commerce, Defense, Energy, Homeland Security, State, Health, and the Treasury.
It is fitting, then, that government and industry should pool their knowledge. This post considers why the government and private actors are interested in collaborating, describes the potential weaknesses arising from misaligned incentives, and offers some examples of how particular public-private partnerships have solved these problems.
The Primacy of Public-Private Partnerships in Cybersecurity
Throughout the cybersecurity community, experts agree that neither the government nor commercial entities can meaningfully progress in cybersecurity without the other’s help. Both parties have a vested interest in keeping the Internet free from crime, and their opposite positioning gives them access to different sorts of information and power. Industry members often are among the first to notice a cyberattack, and they tend to develop effective countermeasures to protect the company. The government may have access to top-secret information or intelligence from other countries.
Though a commitment to collaboration has been long been endorsed in principle, it has manifested variously throughout cybersecurity’s short history. In the 1990s and early 2000s, the government paid lip service to public-private partnerships, but in fact promoted a market-based and voluntary approach to cybersecurity, believing that industry executives had the incentives to develop effective deterrents, and the government’s role was to promote a market in which this innovation could thrive.
By the end of the first decade of the 2000s, stakeholders on both sides had figured out that a voluntary, laissez-faire approach would not work, and neither would a regulatory approach, which would be hindered by a lack of flexibility and savvy. In the Cyber Security Social Contract of 2011, industry experts presented the Obama administration with reasons for moving to a more genuine public-private partnership. They observed that industry could provide government with technological knowledge the government was widely perceived as lacking, but that it had no incentive to produce security products that went above their own business needs to answer the national security interests of the government. Moreover, government involvement could be helpful in mitigating threats, as well as promoting enforcement of the cybersecurity measures that did exist but were often not used; even in industry, where advanced cybersecurity knowledge supposedly resides, many companies admitted to laziness in training and compliance programs for employees, for instance, which comprises a major line of defense.
Today, the importance of public-private partnerships is almost universally endorsed by cyber experts. The challenge, however, is to fine-tune incentive structures to make such partnerships possible—and effective.
Weaknesses of Public-Private Partnerships: Mismatched Motives
Despite their broad uptake in the cyber realm, public-private partnerships may not produce efforts that are perfectly aligned. As stated above, one major problem lies in the confluence of a) the government’s inability, for a number of reasons, to engineer and operate adequate cyber protective measures without help from industry, and b) the reluctance of industry to invest resources in a cyber strategy that meets the government’s needs, which often lie far beyond what they deem necessary for their own business.
Similarly, motivations and methods differ among the sectors. As mentioned during the 2021 Yale Cyber Leadership Forum, the government prioritizes attribution as a form of deterrence. As such, during an investigation, government officials will prioritize searching for emails or other forms of communication that may indicate an actor’s identity. Industry officials, on the other hand, tend to fret less over the symbolic import of bringing a hacker to justice; they want the threat minimized and consumers reassured. While industry investigations may delve into the attack’s infrastructure in the name of future prevention, the evidence they seek out will be technical in nature rather than anything interrogating the hacker’s motivation or identity.
Finally, public and private actors may disagree on what constitutes a desirable defensive strategy. Some in the commercial space advocate for the ability to “hack back” at their foes. Many in the government (and indeed, several in the private sector as well) balk at the threat of unforeseen consequences from such a response. On the other hand, the government is committed to defend other actors via mutual legal assistance. Companies, while certainly not impervious to diplomacy or PR concerns, are generally focused on these issues only insofar as they can benefit financially. Even though many public-private partnerships are organized by industry, it would likely be difficult to convince companies to use their resources to defend a competitor -- or another country -- unless they believed that they, too, had a stake in the matter.
These misaligned incentives sometimes lead to gripes on either side that the other is withholding intelligence or not complying adequately. Moreover, companies may not always be comfortable sharing information with would-be competitors. Despite these concerns, however, a number of public-private partnerships thrive. The following sections unpack examples of successful collaborative efforts that rely on higher and lower levels of government and competitor collaboration.
Solutions
Some private-public partnerships solve the incentive problem by fostering collaboration among industry competitors and treating the government as yet another stakeholder or member. These groups often strengthen sector-wide security by such methods as training and compliance programs, threat alerts, and unified systems of communication. For example, Information Sharing and Analysis Centers, or ISACs, first materialized after the Presidential Decision Directive 63 in 1998, urging cybersecurity collaboration among industry and government. There are now 26 different sector-specific ISACs, all with slightly different organizational configurations. Though ISACs take cuing from the government and present themselves as aligned with the federal system, their main function is as a venue for their members to organize and communicate. For instance, the Health ISAC (H-ISAC), a unifying ISAC for the health sector, counts both private companies and government agencies among its membership. It collates threat reports, sends alerts, offers compliance trainings, and provides shared cybersecurity programs and software to its members. It also promotes uniform cybersecurity protocols among all members, such that a weakness in one cannot threaten all others, as occurred in Solar Winds. While H-ISAC does sometimes reach out to its government members for threat mitigation help, it always de-identifies information.
Other public-private partnerships solve the incentive problem by emerging ad hoc, when a single, often quite powerful, firm partners with government agencies to take down a major threat that is salient both to it and to the government. For instance, the Citadel botnet affected an estimated 5 million users in 90 different countries and amounted to hundreds of millions in losses – a concern for both commerce and international relations. A public-private partnership between Microsoft, with its superior data-gathering abilities and skilled employees, and the FBI, with its connections to international law enforcement agencies, resulted in several court orders that paved the way for disrupting the botnets’ master and destroying many of its citadels. The FBI and Microsoft have since collaborated on at least two similar projects.
Conclusion
Government and industry may not be perfectly aligned in their responses to cybersecurity, but they have enough common incentives to motivate effective partnerships. There is no one characteristic arrangement of public-private partnerships. Some collaborations are short-lived like the Microsoft/FBI coupling, while ISACs and some other groups persist stably for years. Similarly, while some involve only one company and/or government agency, others unite many actors on both fronts. Regardless of their organization, these groups optimize responsiveness, correct for blind spots, and help to change cybersecurity norms for the better.