Sitting at a National War College event in Colorado Springs recently, attending a forum of thought leaders addressing a Public-Private Partnership model for cyber resilience and national preparedness, there was a common refrain among speakers and attendees: “Fighting the cyber threat requires a partnership between government and industry.”
At one point, a NORTHCOM official mentioned concerns about the constitutionality of certain cyber activities that would be off-limits to the Federal Government on civil liberties grounds. That is when I offered this observation:
Government has the mission but is constrained by legal authority in cyberspace.
Conversely, the private sector is not similarly constitutionally constrained, but lacks the mission.
It is this dichotomy of roles, interests, and constraints that seems to have forced a recognition by government officials that a partnership model is needed. Despite thisPartnership Mantra, there are insurmountable issues that belie the feasibility of establishing a DIRECT partnership between government and industry. This tension is laid bare in debates like the chasm between Washington, DC and Silicon Valley over an encryption backdoor for law enforcement.
In Part 1 of this series, I described cyber risk as being existential, while next observing in Part 2 that the market was not responding to such a calamitous risk properly. I would observe in this piece that government is also not responding to this calamitous risk properly. Instead of cajoling for adoption or criticizing industry for its failure to embrace a DIRECT partnership model, government should recognize the fundamental values that private industry is embracing in this squabble.
Here is a question for government:
If the role of Non-governmental Organizations (NGO) is well-established and accepted by governments and international bodies, and if NGOs successfully perform delegated functions to promote stability around the world, then why don’t we consider a domestic NGO model for cyberspace?
THE CASE FOR A THIRD SPHERE MODEL
The Public-Private Partnership (PPP) has become a convenient answer, a notional and propped up soundbite, used to respond to challenging questions about how WE are going to solve the cyber threat. For many, it has come to mean the DIRECT partnership model described above. Instead, we should be looking at a Third Sphere model in which the spheres of government and industry collaborate with a Cyber NGO, which is chartered with certain consensus responsibilities that benefit both government and industry.
There is too much to unpack about a Third Sphere model in a single Pulse. In this Part 3 piece, I will describe the contours and the justification for its establishment.
At the outset it is readily acknowledged that calling for a Third Sphere construct which has official stature roughly on par with all of civil society and all of government represents a transformational endeavor. And though I have, at times, found myself questioning this as a Quixotic fantasy, there are strong roots in reality to this idea when one considers that, by some accounts, the entire US economy is choreographed by a largely independent institution: The Federal Reserve System.
Not wanting to here debate the true independence of The Fed, it is useful for a general proposition about government’s ability to delegate quasi-government authority and responsibility for a core national function. Indeed a function centrally tied to the Nation’s economic vitality! Perhaps other examples of government-sponsored or government-enabled independent institutions, like ICANN, the United States Postal Service, or Freddie Mac/Fannie Mae, are better examples. Perhaps it’s an entirely new, co-created partnership. Simply put:
If we can delegate mission with respect to the economy, we can do that with cybersecurity.
And delegating mission gets to the heart of the matter. The notion of the cyber Public-Private Partnership that is presently called for lacks substance, definition, relevance and sustainability until government is ready to offload certain missions to it. That is, a Third Sphere model solves trust issues and many legal issues, but what is the market incentive to work with it, and how does it sustain itself? Having certain delegated quasi-governmental missions would provide the foundation for answering these questions.
THE CONTOURS OF A CYBER NGO
The fundamental aspect of this model, which necessarily sits abreast industry and government, is that it is a utilitarian model. It is an issue-based enterprise, not a For Profit business. It is established to perform cyber functions that neither industry nor government can do on its own. It is an enabler for both, while also being independent.
Its core attribute, therefore, must be its trusted status. As such, and to facilitate mission delegation from government, normal federal contracting and ethics rules could be liberalized. Similarly, it should enable markets and not compete with industry.
Conceptually, to meet the foregoing descriptions, the Cyber NGO should have mission and responsibilities related to partner-type functions, such as: knowledge exchange, research, education, standards, R&D gaps, advocacy, and government-specified tasks.
ALIGNMENT WITH NATIONAL INITIATIVES
Parts 1 and 2 of this series described massive challenges posed by the cyber threat, even calling the risk existential. I believe “existential” is appropriately used to describe the cyber risk. Moreover, structural changes are entirely necessary for an existential threat. While not using the existential descriptor, cyber has been called the Nation’s number one national security threat.
Just last week, a report out of the White House called for a ‘Whole-of-nation’ cyber deterrence strategy. Similarly, in 2013 the National Infrastructure Protection Plan (NIPP) framed national capacity building for cyber risk as a “Call to Action”. The same capacity building concept recently emerged in the National Critical Infrastructure Security and Resilience Research and Development Plan (CISR R&D Plan). And there is also the Information Sharing and Analysis Organization (ISAO) effort by the Department of Homeland Security. The FBI’s InfraGard model, with its regional offices, has existed for a long time. There are also Fusion Centers in every state, and many Information Sharing and Analysis Centers (ISAC). What is missing in all this is a foundational PPP construct.
It seems evident that establishing cyber capacity centers is part of the nation’s roadmap for improving cyber resilience. A Cyber NGO model, in which certain missions of government are delegated to an independent entity, is a critical element for ensuring private sector adoption. A Cyber NGO model is also essential for the TRUST that is so central to an effective partnership.
In a prior piece in Forbes I wrote about the need for a Cyber Posse – a private sector team of cybercrime stoppers. While there are functional benefits to that concept, and certainly private sector scaling to the escalating cyberattack risk is needed, a Cyber NGO establishes a complete structural model that addresses a broader challenge. As described in the prior Parts of this Series, current efforts by the US Government have been piecemeal and incremental measures. To address an existential threat, WE need to think more strategically. Structural changes are needed.
These thoughts are offered to enable a national dialogue. In a sense, this is a response to the NIPP Call to Action, which seeks to mobilize the private sector. A group of us called for an earlier version of this concept in 2013. So there has been private sector advocacy for a solution that heretofore lacked structure and recognition from government that such a model was needed. It is time for government, in addition to its recent promulgation of law and executive orders, to institute a Third Sphere model to put structure and viability behind this societal Call to Action.
In future Pulse publications, I will share more thoughts on the Cyber NGO.