Cybersecurity is one of the biggest and probably most misunderstood national security issues of our time. Yet the public does not seem to take the threat seriously. Many argue it will take a "cyber 9/11" for the American public to wake up to this issue.
Adding to the problem is the absence of a government lead to assist in the development of the necessary doctrine, strategy, definitions and policies for dealing with the cyber threat. This is not to suggest that the government has not engaged in credible efforts to address cybersecurity, as the president has established cybersecurity as one of his top national security priorities, Congress has more than 20 pieces of cybersecurity legislation before it, and the secretary of Defense has established a cyber command to protect Defense Department capabilities. However, these laudable efforts need to be synchronized by someone who can move the government beyond the discussion of the nature of the threat to real programs for dealing with the threat.
One promising idea in the effort to secure cyberspace would be a partnership of the private and public sectors to ensure the safety of the Internet. The American public has a rich history of self-regulation and partnership, turning to the government only with some very specific requests for guidance and regulation. Just look, for example, at the public utilities commissions, school boards, volunteer fire departments and chambers of commerce. On a larger scale, the North American Electric Reliability Corp. and the National Weather Service have long served the public good through privately led efforts. These arrangements allow the government to utilize private-sector expertise and agility, coupled with government resources, legitimacy and authority to maximize effectiveness while limiting impact on the market.
These and other successful arrangements have a common thread of private-sector leadership with government support, cooperation and self-limitation. This model should be emulated when it comes to the looming decisions over safety of cyberspace. One approach would be to establish a national cybersecurity panel composed of business and government leaders, as well as representatives from privacy and civil liberties advocacy groups. This body would be charged with identifying areas of complication and hindrance, such as information sharing and standardization. It would launch discussion of the interests, risks and concerns for all sides and work to find solutions to ensure safety without unacceptable costs or risks — such as liability for consequences of failure, anti-trust law, and the concern that the Freedom of Information Act opens up proprietary information to public view.
Despite private leadership, this model will succeed only if the federal government is positioned to provide legitimate authority and legal backing, changing and realigning law and regulation where needed to create a better functioning legal and governmental regime for cybersecurity. Most important on the government side is ownership. While cybersecurity obviously affects every department and agency, this abundance of interested parties can complicate and slow decision-making that needs to be timely to keep up with the rapid technology cycles. Therefore it is essential that one government entity, such as the Homeland Security Department's National Protection Programs Directorate, be the lead government partner for private-sector cybersecurity.
Cybersecurity is a pressing issue, one that should be addressed before we face a cyber 9/11 — as we almost certainly will. The U.S. has a history of self-organizing to solve big problems and this one does not have to be different. What's called for is a close public-private partnership where the corporate owners and operators of the networks jointly resolve legal and procedural issues and set forth plans to standardize and improve net safety and security; and where a clearly delineated government partner is involved and motivated, but lets industry lead.
Ellen McCarthy is president of the Intelligence and National Security Alliance, a nonprofit, nonideological, professional association created to improve the nation's security.