The federal government is currently disabled in a way it has never seen before. Because the digital realm is man-made, governments around the world have varying levels of access and freedom of movement in it. In Western democracies, the vast majority of the digital realm is owned by private interests and, therefore, beyond the direct control of their respective governments. In most of these countries, even the backbone of the Internet is beyond the purview of the government in all but the most extraordinary emergencies. This means that federal governments cannot function effectively to provide the same levels of security that exist in the physical world.
This fundamental paradox of government power (or lack of it) makes partnerships between the federal government and the private sector imperative. Without them, the government cannot effectively provide the most basic levels of security for their populations. Nor is it fundamentally a problem that can be solved by expanded legislation, as the access that would be needed for the government to do it itself would pose a real and significant threat to the Fourth Amendment’s protection from searches. and unreasonable seizures in the United States. This means that the government must work in collaboration with the private sector as it has never done before.
This dynamic is a dynamic that the private sector must also adopt. The daily battle for cybersecurity is fought on their networks. They are the main victims of this unregulated field, so anything they can do to work collaboratively with the government is in their own best interest. Unfortunately, in general, and particularly in the United States, the public and private sectors are at best ambivalent to each other and, in many cases, directly antagonistic. Regulation generally reduces profits and increases the operational burden on businesses.
The stream US presidential administration uses a combination of carrots and sticks that exacerbates this adversarial relationship. The more the government talks about regulation, the obligation to report activities during a real incident and other demands on the private sector, the further away they are from voluntary cooperation. While CISA attempts to bridge the gap with key stakeholders, traditional levers of government are largely counterproductive and require more original thinking in organizations that are traditionally resistant to change and risk. Moving beyond suspicions of the past will take time and a concerted effort on both sides.
The fastest way to jumpstart this growth is to reform the federal cybersecurity talent hiring program. Nothing builds bridges faster than having shared experiences. A two-way flow of technical talent between the federal government and the private sector builds trust in a way that no mandated or institutionalized program can. In addition, making connections based on shared experience makes the act of cooperation much easier. When the federal government asks for help, their typical processes and motivations are often opaque (and rightly so). If a private sector organization does not have someone who can translate the request or provide general context, these requests are often greeted with skepticism first and then with legal counsel. With a little understanding of the why as well as an explanation of the limits of what government can do, the private sector is in a much better position to provide the help the federal government really needs.
In addition, the private sector benefits greatly from this knowledge transfer in two main ways. First, they are able to secure highly skilled employees who have access to data on cybersecurity threats that very few people outside of government ever have access to. Second, these employees also bring a wealth of knowledge and connections around the regulatory space that can help companies establish a more nuanced practice when dealing with regulatory risk in that space.
Fundamentally, if the U.S. government is to be successful in the digital realm, it will need a complete overhaul of the way it tries to keep its citizens safe. The private sector is the keystone of any successful strategy, and in many ways it is in fact the most powerful player because of its ownership of the battlefield. Without a redesigned way of interacting that allows for mutual trust, respect, and ultimately positive results, the private sector will begin to solve this cybersecurity problem on its own in a way that the federal government cannot keep up with. This will only create a more unstable and hostile area for everyone.
Ross Rustici, Managing Director of StoneTurn, is co-author of this article.