Op-Ed from the Morning Consult, March 9, 2020
By Jonathan Day and Michael Mahoney, Tapestry Networks
Cyberattackers from abroad don’t care much about the difference between government and the private sector in the United States. They may have reasons for targeting one over the other in an individual instance, but their goal often is to exploit weaknesses and disrupt operations.
The Sony Pictures hack from 2014 is a great example. Hackers believed to be close to North Korea — or maybe the North Korean government itself — attacked a film studio with the goal of disrupting the release of a movie critical of North Korea. That cyberattack shows that it’s not just the public sector that has national security vulnerabilities on the cyber front.
That is why a chorus from the private sector is emerging, calling for better coordination between the government and corporations on dealing with emerging and evolving cybersecurity threats. Congress can play a role in bridging the two sides.
We heard that when we convened members of the Cyber Risk Director Network, a gathering of non-executive directors from some of the biggest American public companies, including Apple, General Motors, General Electric, Home Depot, Citigroup, and Delta Air Lines. They participated in a frank discussion of how giant corporations — and especially their boards — address cyber risk. The result is a comprehensive report on their conversation, although one that does not attempt to speak for the group as a whole or from any one individual or company’s perspective.
For the private sector, cyber risk is more fluid and potentially damaging than some of the traditional risks facing large public companies.
While the group also touched on the importance of how to address cyber risk through board governance and the board’s role in cyber incident response, deeper public-private collaboration on cyber risk was a priority, albeit one that carries its own cautions.
At present, collaboration between the government and the private sector is embryonic. Cooperation is hindered by legal and structural barriers as well as a lack of trust between the two groups.
The structural differences between government agencies and companies, and even clashing missions across different government agencies, can limit the value of corporate-government interaction. On the private sector side, there are risks for sharing information, including from corporate competition to legal vulnerability.
The private sector sees taking the initiative to make changes for the better. This includes changing their approaches to working with government and educating Congress and federal agencies on the needs of large companies. When approached through a national security lens, government officials should take notice.
The CRDN members noted government efforts to improve public-private collaboration, including the 2015 Cybersecurity Information Sharing Act, temporary security clearances for corporate leaders, and deeper and more widely promulgated standards for dealing with cyber risk. But they see these as early-stage efforts. If they are to succeed at scale, structural and trust barriers need to be overcome.
In discussing the idea with policymakers, we found that there was an appetite on Capitol Hill for this type of collaboration.
One opportunity to move forward comes this month with the expected release of the Cyberspace Solarium Commission report, which reportedly will recommend a number of steps, including public-private collaboration measures, to address what is not working about the United States’ cyberspace deterrence capabilities.
The commission draws upon different parts of the government — Department of Homeland Security, Office of the Director of National Intelligence, Department of Defense, and bipartisan members from both chambers of Congress — and is evaluating the resources, response mechanisms and strategies for effectively providing for national cybersecurity.
The private sector will be watching this report closely, and with a particular interest in how the government views public-private cybersecurity collaboration and what steps, if any, it recommends for deepening that cooperation. It also will look at what the government proposes about its own organization when it comes to cyber defense.
The risks are real in cyberspace, and not dealing with them together puts both the government and the private sector at a disadvantage when compared with the nebulous and ever-evolving cyber threats. The private sector should put forth its own ideas about bridging the divide, and it should constructively engage with those put forth by the government.
If we don’t tackle the public-private challenges together in a deeper and more meaningful way, our national security will remain vulnerable on the cyber front.
Morning Consult is a global technology company revolutionizing ways to collect, organize, and share survey research data to transform how decisions are made.