The level and type of public-private information sharing on cybersecurity has expanded, particularly since 2007 when the Defense Department kicked off the Defense Industrial Base pilot program. The concept of information sharing, however, has existed for at least the past decade.
“It’s the idea of crowdsourcing before the term crowdsourcing came up,” said Jason Miller, executive editor of Federal News Radio. “All of us together are smarter than each of us alone.”
The Federal Drive with Tom Temin and Emily Kopp hosted a panel discussion with Miller and Scott Algeier, executive director of the Information Technology-Information Sharing and Analysis Center (IT-ISAC) and vice chair of the National Council of ISACs (NCI), as part of the multimedia special report Cybersecurity Rising.
Algeier said the key to a successful public-private partnership in cyber info sharing is to treat each party as an equal. Both parties, however, must also recognize that each has different goals when it comes to protecting networks, he said.
“Industry views it from the business perspective. I have business assets I need to protect. They manage that risk like they manage a lot of other risks. There’s only so many dollars industry can spend without impacting shareholder value,” Algeier said. “The government views this from a national security perspective, so their tolerance for risk, I think, is a lot less.”
Industry and government must first identify common issues to work on and develop a plan jointly, Algeier said.
“I don’t think it’s enough for industry to be shared documentation that says, this is our plan and you have a week to tell us what you think,” he said.
Establishing info sharing center
As agencies move more to e-gov and e-commerce, the government has become increasingly dependent on the private sector, Miller said.
The federal government realized, “The partnership has got to be stronger,” he said.
The National Cybersecurity and Communications Integration Center (NCCIC), launched in 2009, is the “nexus of information sharing between the government and the private sector,” said Mark Weatherford, the deputy undersecretary for cybersecurity at the Homeland Security Department, in an interview with Miller.
IT-ISAC is part of the NCCIC forum. Once industry shares information with NCCIC, that information is distributed to other agencies.
“To bring it full circle, a lot of my members, a lot of IT companies, are actually contractors to those agencies. They then …develop the tools and technologies,” Algeier said.
Industry and agencies each have skills they can share with each other. Industry, for example, has done a good job securing new networks, Algeier said.
“They repel thousands of attacks a day on their networks. I’m not going to sit here and say all industry networks are as secure as they can be, but I think the overall track record of industry securing new networks is pretty strong,” he said.
On the other hand, some agencies have cyber skillsets that are as good or better than across industry, Miller said. Some examples could be found at the National Security Agency or the U.S. Cyber Command, he said.
“I think the government sometimes gets a bad rap, but they’re the ones developing [or funding] a lot of the cutting-edge technology that industry kind of commercializes and broadens and makes it better,” Miller said.
Today’s panel is part of Federal News Radio’s multimedia project Cybersecurity Rising, which focuses on the progress federal agencies have made in the last six years on securing their systems and protecting their networks.
MORE FROM THE SPECIAL REPORT, CYBERSECURITY RISING: