Paper proposes 'civic switchboards' for public-private cybersecurity cooperation


Correction appended

Proposed legislation that would center public- and private-sector cybersecurity collaboration onto a single coordinating entity would fall short in effective engagement, asserts a paper published this month by the Center for Strategic and International Studies.

The paper (.pdf), authored by Rachel Nyswander Thomas as part of a graduate thesis at Georgetown University, is also critical of the status quo. She characterizes it as a host of public-private partnerships that have created pockets of information sharing but can't hold partners accountable and have made limited progress toward other objectives such as research and development.

Collaboration efforts in the form of Information Sharing and Analysis Centers from the 16 critical infrastructure and key resource sectors recognized by the Homeland Security Department have bumped into the problems of engaging small businesses, widely varying maturity levels of ISACs, and "the sheer quantity of government entities with which any one sector needs to partner."

Included in some cybersecurity legislation proposed in the House and Senate during the last Congress (which adjourned in 2012 without coming to agreement) were proposals to create a nonprofit information sharing clearinghouse organization or to codify the existing National Cybersecurity and Communications Integration Center within DHS as the exchange center, but neither alternative would address the status quo gaps of addressing other cybersecurity matters or wider engagement, Thomas says.

Public-private information sharing may be overrated as a goal, she also writes, stating that a source from the defense industrial base information sharing program started by the Defense Department asserts that only about 4 percent of threats over a 6 month period were detected thanks to government information. "If the intelligence shared by the public sector is little better than the information already in the hands of private parties," that raises questions about the extent to which public-private information sharing is truly necessary to improve cybersecurity, Thomas adds.

In the place of other options, she proposes "civic switchboards," a mechanism for connecting resources among organizations that requires little direct government control. Thomas says two civic switchboards would be necessary to improve national cybersecurity--a government-controlled one for information sharing and incident response, and a nonprofit one for other objectives, such as research and development, technical standard setting and building human capital. In some cases, the government civic switchboard would act as an intermediary between existing public-private partnerships and in others foster the creation of new ones, she says.

Thomas cites the Obama administration's Startup American Partnership as an example of a civic switchboard-like entity; the partnership is a nonprofit convened at the behest of the Small Business Administration that seeks to promote entrepreneurship.

Correction Aug. 26, 3:55 p.m.: Following the Feb. 12, 2013 issuance of PPD-21, the number of DHS critical infrastructure sectors is 16; an earlier and now-corrected version of this story repeated the older number of 18. Thanks to Andy for pointing out our error, which we regret. 

For more:
- download Thomas' paper, "Securing Cyberspace through Public-Private Partnership" (.pdf)

Related Articles:
Commerce Dept. critical of liability protection as cybersecurity framework incentive
Treasury sees technical assistance as possible cybersecurity framework incentive
NIST cybersecurity framework bill voted out of Senate committee