(Washington, DC) Improving private sector relations with the government, particularly in the area of threat information, will be central to the future success of the cybersecurity framework issued last week by the National Institute of Standards and Technology (NIST), according to a panel of industry representatives speaking at a Bloomberg Government cybersecurity conference here today. That framework was developed pursuant to an executive order signed by President Obama last February and is slated to be final under the order by February 2014.
When asked to rate the still-preliminary framework on a scale of one to ten in terms of how well the public-private partnership has worked so far in developing the framework, Dean Garfield, President and CEO of the Information Technology Industry Council, rate the effort an 8.5. "What was surprising to me is that there is broad consensus on policy issues," he said.
"It's improving, it's moving toward the higher end" of the scale, Robert Mayer, Vice President of Industry and State Affairs at telecom trade association USTelecom said. "The grade is obviously incomplete [but] I'm encouraged by the direction we're moving in," Internet Security Alliance CEO Larry Clinton said.
Jeremy Bash, Managing Director of policy consulting firm Beacon Global Strategies, however, rated the effort as merely a three "because there is a huge disconnect with industries. For the vast majority of enterprises, this issue is not yet on the radar screen." Most industries "fundamentally want one thing - they want the government to share sensitively derived threat [information], Bash said.
Incentives, which are also addressed separately in the executive order, are also key determinants of how well the framework will be adopted. One important incentive is to improve information sharing between the government and private sector, Garfield said. "Making sure we have the capacity and communication internally within the administration and the government to share and make use of the information that has been shared," is crucial.
The problem is going to be that many incentives, including some of the liability protections needed for effective information sharing, will require statutory authority, necessitating an act of Congress, Mayer said., a very difficult feat given the current legislative environment. One big problem with threat information sharing is that "the government doesn't want to share data because they are afraid the source of the data will come out," Clinton said. "The thing is industry doesn't care about the source. So take the source data out."