By: Gabriella Capone, JD/MBA ‘19

The 2019 Yale Law Cyber Security Forum explored how the public and private sectors can bridge gaps in their cyber security efforts.

This piece focuses on the role of local governments and small enterprises in cross-sector cyber cooperation. While focus was often placed on the larger players in both sectors, bringing smaller actors in each sector into the conversation is a significant opportunity to strengthen shared infrastructure and cooperation.

If local-level players, from city governments to small businesses, are not top-of-mind in conversations like those enabled by the Forum, it risks creating significant gaps in the system as a whole.

Biases towards higher levels and larger actors of the system

The Forum’s overarching question of how, precisely, the sectors should coordinate to reduce vulnerability inevitably raises questions of who should take action. At the end of one session, a participant suggested there was an important role for state governments in the field. This highlighted for the group – expert researchers and practitioners – that issues and ideas in the field of cyber are often exclusively framed as national and international problems.

While local government or small businesses had not explicitly been mentioned until that comment, they became important to numerous discussions.

Panelists initially deemed coordination challenges in bringing criminal prosecutions an “international problem” afflicted by varying prosecutorial standards across countries or even within the United States. As the conversation progressed, participants raised the fragmented warrant system, and the fact that it took three years to normalize warrant rules across 94 federal judicial districts. The problem was first framed as a global one, but the crux amounted to local, dispersed happenings across districts.

Second, in addressing privacy concerns around sharing criminal data, participants observed that such data was often stored locally (i.e., where the incident occurred). With the globalization of criminal evidence and data, it is generally becoming more accessible and transferable. In this facet of cyber security cooperation, local standards and practices for data storage bubbled up to subsequent national and global actions. If data collection begins at a local, fragmented level, it will inevitably shape the design and capability of the centralized system built on its legacy.

Third, there was ample discussion around the action, or inaction, of the US government when it comes to cyber security and privacy legislation. The most recent major piece of cyber security legislation was passed in 2002, and what exists currently is a patchwork of rules. Even sparser is the discourse around local-level legislation in the field. Key definitions and measures remain undefined, the type of ambiguity that Professors Oona Hathaway and Rebecca Crootof address. Elsewhere, the EU has leapfrogged the US in providing clear, contemporary legislation around individual data privacy and protection.

Discussions about the role of the private sector in addressing cyber threats also trended towards higher levels. Participants repeatedly raised privacy concerns around the actions of Facebook and Apple, at times with a forlorn glance towards the mobile devices scattered throughout the room. Discussions tended towards issues in defense and technology industries, highlighting how smaller, private entities may not receive as much attention.

A systems approach to public-private cyber cooperation

There are benefits to concentrating action at the highest levels of each sector. Setting standards, such as for privacy or encryption, reduces the layers that law enforcement needs to navigate, or the erosion of liberties through conflicting regimes. In the public sector, a federal standard can promote scaled, coordinated efforts that protect the country as a whole, rather than relying on patchwork actions taken by states. In the private sector, large companies house more data (that is of potential value to law enforcement) and can affect more consumer-citizens with their actions and security measures, all while setting best practices in their industry.

Although over-indexing on prominent players in each sector may be efficient, it is likely imprudent. 99.9% of US businesses are small businesses (<1,500 employees) and employ over 47% of the US workforce. The value and vulnerability of data managed by SMEs means their infrastructure and capabilities must be considered if the model is to be a holistic one. On the public side of the divide, leaving regulation of cyber security exclusively to federal institutions misses the critical role of state and local governments as a line of defense, and as actors that govern on the local scale. Local institutions need to be legally and structurally equipped to manage threats where the federal government cannot, for everyone’s sake.

As conversation tends towards the highest level of the respective sector or field, it risks neglecting the role of smaller and medium sized players, whether they are state or local governments, or small- or medium-sized businesses. This is a dangerous trend, if not checked as it was at the Forum, because it risks developing models for public-private cooperation and collaboration that are incomplete by biasing them towards action at the highest-levels of the system or, worse, towards action by the most salient actors. Such an approach could actually widen widening the gap between the sectors, rather than bridging it, by undermining efforts to build a cooperative model at all levels of action – not just the highest ones.

Local governments and small enterprise must be an explicit part of the public-private cyber security discourse, or it risks being another gap.

Integrating local actors and phenomena into public-private efforts

A cohesive model for public-private cooperation in the face of threats must account for the local levels of the respective sectors, including smaller enterprises and local governments. There are a number of existing models to inform this effort.

Connecticut model for state-led cyber security. Currently, Connecticut is the only state that performs an annual review of large utility areas, providing security assessments in a public report (two such assessments have taken place thus far). Given that federal support is not available for states to respond to and recover from cyber-attacks, there are gains to preparing and mitigating a potential attack. So, the state is filling gaps in federal support by being proactive in its assessments and infrastructure assessments.

Second, the state has developed a strategy and action plan, with an eye towards supporting the small business security infrastructure, given that over 50% of businesses in Connecticut have not performed a security assessment of any kind.

Existing transversal relationships. Professor Peter Swire’s work elaborates upon the traditional seven-layer OSI Stack with three additional layers: organizational, governmental, and international. Governments (layer 9) create laws that govern organizations, while actions taken by nation-states at the international level “affect the governments at layer 9, and apply when no single government can set the law.” The framework is silent on intra-governmental relationships but its presentation of the national and international level relationships can provide a starting point for modeling local and national relationships.

Legal frameworks proposed to organize actors and their responses to cyber-attacks and in cyber-warfare tend towards national and international levels, but may be of interest to designing local-national legal relationships. Hathaway and Crootof outline a framework at the domestic and international levels to counter challenges posed by Cyber-Attacks (one of the terms they specifically define to promote consistent, coordinated action). They identify a central issue organizing international efforts “will be defining the scope of the activity that should be addressed in an international agreement.” The same issue is true the level below: how to define the scope of activity involved in state-federal agreement and the roles of each institution?

Models of state-federal cooperation. Existing state-federal relationships can inform models of cyber security cooperation, especially when it comes to private sector regulation. For example, the FEMA funding model could be a starting point for evaluating what is or is not effective in terms of federal emergency support, and what that would look like for a cyber incident response. It is an exciting opportunity to design a new relationship between state and federal government.

Broadening the “who” of public-private cyber cooperation

As models for public-private cooperation are developed, the cross-sector community should continue to critically evaluate who precisely is included in the conversation, and where key gaps exist.

The impact of smaller businesses in aggregate should draw the attention of cyber security experts. The potential of local government, both as a mechanism for engaging local levels of the private sector, and as a critical line of defense in the national and international cyber security regime, presents untapped power for the public-private model for cyber security cooperation.