A Look into Public Private Partnerships for Cybersecurity
April 18, 2017
“The United States must treat cybersecurity as one of the most important national security challenges it faces.” This was the central finding of a 2008 report from the Center for Strategic and International Studies Commission on Cybersecurity, prepared to inform the cybersecurity policy of the 44th presidency.  Almost a decade later, the integrity of public and private sector network infrastructure is even more crucial to national security.
Cyberattacks pose a unique type of threat, from compromising power grids to impacting financial institutions to leaking confidential information. Due to the novel nature of cyberthreats, former Deputy Secretary of Defense, William J. Lynn wrote in a 2008 statement on the Pentagon’s cybersecurity policy that standard models of deterrence will not apply to cyberspace. “Cyberwarfare is like maneuver warfare,” he wrote, “in that speed and agility matter most. To stay ahead of pursuers, the United States must constantly adjust and improve its defenses.” 
The past four administrations have emphasized the importance of cybersecurity in both the public and private sectors. Administrative and legislative efforts have emphasized the importance of partnerships between industry and government in defending critical infrastructure, promoting initiatives for cybersecurity education, and ensuring the integrity of network infrastructure. This article examines role of the private sector in national cybersecurity policy and analyzes the strengths and limitations of cybersecurity public-private partnerships.
The public and private sectors can both benefit from working together on cybersecurity initiatives. The private sector controls much of the critical infrastructure that is vulnerable to cyberthreats. Thus, many companies that own such infrastructure already have cybersecurity programs, giving them specific expertise and experience in dealing with potential threats. The public sector has different strengths in that it is better positioned to investigate and prosecute cyber criminals. The source of a cyberattack is often difficult to identify, and government agencies often better positioned to collect foreign intelligence, collaborate with other international agencies, and gain access to critical information regarding potential threats. 
Cooperation between industry and governmental agencies on joint cybersecurity initiatives can leverage the unique yet complementary strengths of both sectors. For example, public-private partnerships are especially effective in mitigating financial cybercrime, for the joint cooperation of the two sectors address the interests of consumers, businesses, and the government alike.  According to the Intelligence and National Security Alliance, the mission of cybersecurity public-private partnerships (PPPs) is three-fold. First, these partnerships must identify and detect behaviors of concern. Second, PPPs must ensure that actors from both sectors comply with the standards of the partnership. Third, and arguably most importantly, PPPs must provide a mechanism for response after a cyberthreat; this entails conducting examinations of an attack and addressing any necessary shortcomings in the current defense system.  Furthermore, effective PPPs should also ensure that cybersecurity developments in the private sector and their policy implications are well understood by policy makers. 
Current Hesitations to Establish of Public-Private Partnerships
Even though PPPs are beneficial for both sectors, some private companies are reluctant to establish cybersecurity PPPs. One of the key hesitations in the private sector to form a public-private partnership concerns issues of trust, control, and disclosure. Regarding trust, companies often doubt whether they should involve the government after a cyberattack, for the government would necessarily have access to the company’s private data. Moreover, even in the case of a serious breach, companies might still be reluctant to directly involve the public sector if they fear that government involvement would only escalate the severity of the situation. Furthermore, once a private company involves a government agency in investigating a cyberattack, the company would lose autonomy over their investigation. Some companies are also hesitant to share information with the government. Since the government would not be able to provide all data regarding potential cyber crimes because some information may be classified or confidential, many companies feel that the information sharing would end up as a one-way relationship.  Moreover, some private companies may also worry that handing over sensitive information may damage their reputation or that the information will not be treated will full confidentiality. 
Regarding disclosures, the Securities and Exchange Commission (SEC) requires that significant cybersecurity risks and incidents should be disclosed to investors. Yet, it is unclear how to determine the significance of a given risk or event. Even though members of both the public and private sector have tried to delineate best practices for cybersecurity-related SEC disclosures, companies may still be reluctant to disclose information about a breach, fearing that it would damage their market value, reputation, or clients’ trust.  Studies have even found that announcing an internet security breach can hurt a company’s market value. In one study, breached companies lost an average of 2.1% of their market share within two days of disclosing the breach to the public. 
Another hesitation to engage in PPPs is the complex regulatory and legal landscape surrounding cybersecurity. In the event of a breach, companies may now need to go even further than standard SEC disclosure obligations. Private companies may even have to disclose potential risks or cyberattacks to state governments, the Department of Justice, or even plaintiffs who are affected by a cyberthreat, depending on the scope of the attack. Moreover, the majority of US states have adopted legislation that requires government agencies to disclose to citizens any breaches of personal information. Thus, in establishing a PPP, the public sector must find a balance between cooperation with the private sector and holding them accountable in the event of a breach. The public sector’s differing obligations make it challenging to partner with the private sector, and without any legislative efforts to clarify cybersecurity regulations, the private sector is faced with a fragmented collections of laws regarding notification, liability, and disclosure in the event of a cyberattack. 
PPP Models and Recommendations
Through analysis of current PPPs in areas outside of cybersecurity, there are some proposed models of an effective cybersecurity PPP that would help to mitigate its most apparent limitations. Since private companies identified a lack of trust as a key hesitation in working with the government as part of a PPP, an effective PPP must immediately establish a level of trust and transparency. For example, in order to foster a sense of trust, some PPP’s in the Netherlands have created a secure network of information that the government cannot directly access without the express consent of the companies involved. 
Moreover, one model has members of the public and private sectors working together on a joint cybersecurity panel to develop trust and promote cooperation and dialogue. This panel could also include representatives from the existing network of Information Sharing and Analysis Centers (ISACs) to create an organization that would reflect the interests of both the government and private companies. Public Utilities Commissions have successfully used such a leadership structure to form a partnership between the government and the local business community. 
Furthermore, there are several proposed recommendations for developing effective cybersecurity PPPs. In a 2016 briefing, the World Economic Forum proposed five key recommendations for developing PPPs to specifically fight cybercrime. Among those recommendations were strategies for establishing more real-time information sharing systems, developing a uniform rule of law for cybercrime, and encouraging national law enforcement agencies to more actively engage in cybersecurity PPPs to improve coordination between the public and private sectors. Keeping in mind concerns about trust, the World Economic Forum also called both the public and private sector to engage in open discussions about their differing motivations and viewpoints regarding cybersecurity.  Furthermore, as the field of cybersecurity is ever changing, it is crucial that cybersecurity PPPs clearly define their goals and also address the often differing agendas of the government and private sector. 
Cooperation between the public and private sectors is an essential aspect of our national cybersecurity strategy. Cybersecurity PPPs must be based on a foundation of mutual trust, and open dialogue between private companies and the government can help to ameliorate some of the reluctance in the private sector. Moreover, by clarifying the regulatory framework surrounding cybersecurity, the government can better assuage private companies’ hesitations to reach out to the government in the event of an attack. By addressing these concerns, cybersecurity PPPs can work to develop strategies for risk management and information sharing, and both the private sector and the government will be better equipped to handle future cyberthreats.
Additional Blog Posts
Student Blog Disclaimer
The views expressed on the Student Blog are the author’s opinions and don’t necessarily represent the Penn Wharton Public Policy Initiative’s strategies, recommendations, or opinions.