Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

To deter cyber attacks, build a public-private partnership

Meaningfully improving cyber security and ensuring the resilience of systems will require cooperation between members of the private sector and the government, according to University of Illinois College of Law paper.

The best way to combat cyber attacks may be a joint public-private partnership between government and business but the time to act is now, rather than in the wake of a crisis, says a new paper from Jay Kesan, the H. Ross and Helen Workman Research Scholar at the University of Illinois College of Law.

“Cyber security is a big deal, and the protection of critical network infrastructure is a matter of national security,” said Kesan, who directs the Program in Intellectual Property and Technology Law at Illinois. “If nothing else, cyber attacks are very expensive, costing the global economy almost a half-trillion dollars per year, according to some estimates. For either of those reasons alone it should be given more attention.”

Meaningfully improving cyber security and ensuring the resilience of systems will require cooperation between members of the private sector and the government, according to the paper. To that end, Kesan and co-author Carol M. Hayes, a research associate with U. of I. College of Law, propose a framework for the sharing of information about threats and solutions that they believe reconciles the competing concerns of privacy and cyber security.

“Privacy and cyber security are not mutually exclusive, but balancing the two interests may require cooperation and the occasional compromise,” Kesan said. “We believe that cyber security can be enhanced without creating an Orwellian, Big Brother world, and encourage the development of what we call a ‘Circle of Trust’ that brings the public and private sectors together to resolve cyber security threats more effectively.”

The goal is to foster trust between the private and public sectors, he said.

“When the public sector shares information with the private sector, that encourages the private sector to trust the public sector, and vice versa,” Kesan said. “Our proposed framework advances this notion of trust even further by allowing both sides to preserve a degree of secrecy – for example, government secrecy for classified military activities and geopolitical information, and private-market secrecy for consumer information, including information about consumers’ online activities. It functions to assure participants that overreach by either side will be limited.”

Private cyber security researchers could benefit from information about intrusion attempts and details about vulnerabilities uncovered by government actors, and government agencies could benefit from up-to-date information about private cyber security innovations and the identification of vulnerabilities by private firms, the researchers say.

Although some existing laws would need to be revised to implement the proposal, “both sides could benefit from information sharing about different security measures and their rate of success,” Kesan said.

To emphasize the importance of cooperation, the paper presents case studies of two recent government proposals to address cyber threats: the proposed Cyber Intelligence Sharing and Protection Act (CISPA), and the presidential executive order that outlines procedures to establish voluntary cyber security standards.

Both proposals would create a way for qualified members of the private sector to obtain security clearances to receive classified cyber threat information from the government, and CISPA also would allow the private sector to share cyber threat information with government agencies.

But according to Kesan, efforts to address cyber threats may be hindered if policymakers rely solely on voluntary compliance.

“Both CISPA and the executive order take a voluntary approach, and we argue that a purely voluntary mandate is undesirable in both contexts,” Kesan said.

Under each system as currently proposed, participation by private firms is purely voluntary and there is no penalty for non-compliance.

“Voluntary programs can be effective in some situations, but they may ultimately be interpreted only as aspirational guidelines,” Kesan said. “In the sensitive context of cyber security, aspirational guidelines for security standards could lead to low levels of compliance, the withholding of valuable information by those who do not participate, and a greater risk of overshare by those who do participate.”

On the other hand, mandatory programs with effective enforcement mechanisms are likely to result in higher levels of compliance, the authors note. This may be especially true when the program concerns highly complicated subject matter, as previous research has indicated that voluntary compliance may not be as effective in those situations.

“Government intervention with the free market should be minimized, but when cyber security issues have implications for national security, some degree of mandatory regulation would be beneficial,” Kesan said. “The Obama administration recognized this through the issuance of the executive order on improving critical cyber security infrastructure, and Congress has recognized this as well.”

Unfortunately, cyber security has proved to be a much more partisan issue than it should be, and Congress has not yet come together to take meaningful steps to protect the cyber infrastructure, Kesan said.

“Advocates for private enterprise have discouraged the imposition of meaningful cyber security requirements on privately owned critical infrastructure, while advocates for civil liberties and privacy invariably react with alarm to regulation that involves the collection of information about threats,” he said.

Both Kesan and Hayes believe it is unlikely that Congress will pass effective cyber security legislation in the current session, which is scheduled to end on January 3, 2015. Although the presidential executive order and their proposed cyber security framework could provide some helpful first steps, the authors say that it is neither feasible nor desirable to rely solely on executive power to shore up the cyber defenses of the government and the private sector.

“Ideally, our proposed cyber security framework would be implemented alongside supporting legislation to ensure that cyber security actions and standards are subject to the checks and balances of our system of government,” Kesan said. “CISPA could be easily revised to accompany our framework.”

The authors also contend that it is important to ensure that this issue is subject to deliberate and careful decision-making by policymakers before a massive cyber catastrophe forces the government to act quickly and without adequate safeguards. They point to the history of the Patriot Act, which was hastily passed in the aftermath of 9/11, and has been the target of significant criticism on civil liberties grounds over the last thirteen years.

“It’s vital that these issues are addressed soon while there is still a chance to prevent a catastrophic cyber event,” Kesan said. “It would be ill-advised to rely solely on executive power or on legislation that is hastily drafted and enacted after an emergency.”

The paper, ‘Creating a Circle of Trust to Further Digital Privacy and Cybersecurity Goals,’ is available here.

•Date: 26th August 2014 • US/World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here