The Cybersecurity Act of 2012 has now been posted. The dialog of representative government as started with enlightenment on what is important to different interest. Coincidentally, this act is directly applicable to the principle of aggressive private-to-private collaboration with public participation. The act ‘could’ significantly help our cyber-security capabilities OR it could dramatically hurt the successful International collaboration has been gaining momentum.
The act follows a model of US Government centered public-private partnership. “Public-private partnership” is a phrase used frequently when a policy maker has no other capable recommendation. When pressed to elaborate what is meant by public-private partnership, the answers are non-specific with a core theme of private industry informing the government about the threat, providing data on the threat, and giving them their analysis on the threat. In essence, the term “public-private” partnership describes a relationship where private industry has to feed information into the government. Here lies the problem. Private industry has no sustainable interest in a one-way partnership.
Over the past decade, cyber-security public-private partnership has not delivered results. We have learned public private partnership does NOT lead to action. Without action, there is no progress in our endeavors to strengthen our cyber-security posture. Our experience in operations ranging from Conficker, to Coreflood, to Waldec, to Auora have all shown that “public-private” partnership which is driven by one government was never a driving factor for action. It does not mean that Public-Private partnership is a broken (watch for the next article in the series). It just means that public-private partnership is limited – for which the industry has found ways to compensate for those limitations with aggressive private industry to private industry collaboration before governments (in plural) are pulled into the investigation.
Quietly and successfully, the industry has found that the prerequisite to action is an environment for which private industry collaborates with each other in ways that benefits their mutual defense. Private-to-Private collaboration has always been the first step to our cyber-security takedowns. Postmortems on all the successful malware takedowns uncover that the first phases of the operation are always private industry collaboration. Private industry uses their resources to map out the crime, scope the threat, and determine a proposed plan of action. This investigation leads to enough information to reach out to the appropriate public partners (in plural) to launch an official investigation. These public partners are plural with law enforcement agencies in several countries.
Private industry collaboration for their collective defense is increasing. The dialog is already reaching legislators to find the balance between industry – as part of cyber-civic society – to be able to protect itself and the interest of the public to insure private industry is not violating collusive trade practices. As in the past, this dialog for balance takes time, but should not be an impediment to progress. Hundreds of billions in loss to cyber-security activities demands industry response. 2012 is the year where collective self-interest leads to a persistent principle of collective self-defense as a persistent value on the Internet.
Does the industry need new legislation to facilitate aggressive private-to-private collaboration? Yes & No. Existing contract law provides many tools required to facilitate this sort of collaboration. So, the industry would continue forward using the existing laws and building new contracts that facilitate the “peering” of security information. Yet, collaborative investigations would be easier if there was better clarity in the laws. It will remain to be seen if the final evolution of a new Cybersecurity Act would foster private industry collaboration or put limitations that prevent effective action.
What Can My Organization Do Now?
“Size matters not. Look at me. Judge me by my size, do you? Hmm? Hmm. And well you should not. For my ally is…” everyone on the Internet who I collaborate with in our mutual self defense. No Yoda did not say that in Star Wars, but the point is valid. Organizations of any size – even someone’s broadband connection at home – can collaborate with everyone else to make a difference.
Jump into private industry collaboration! All legitimate organizations on the Internet can contribute to the “make the Internet safer” cause while benefiting for their contributions. The next article will walk through some of the options available to join the private industry collaboration. What will it cost? Time and effort with NO need to buy any new equipment!