Industry and government are both vital cyber security providers, yet the ways they can work together remain misunderstood.
Public–private partnerships (PPPs) have long been a mainstay of national cyber security strategies, but what exactly are they? Despite their longstanding popularity, references to PPPs are often shrouded in vague generalities. Policy proposals regularly extol the benefits of ‘information sharing’, yet recommendations need to go further in understanding the spectrum of collaboration opportunities and the respective benefits and limitations of different operating models. Critically, discussions on PPPs need to move beyond loose plans to merely collaborate and instead get serious on the logistics, operational details and meaningful engagement that address how such benefits can be practically derived.
Both government and private entities undeniably make important contributions to securing society. This commentary seeks to identify some of the key PPP opportunities and provides suggestions for how both government and industry can move forward.
A Spectrum of Models
PPPs encompass various relationships, ranging from informal public–private community-building initiatives to contractual engagements. Such a broad definition should be encouraged, because ‘PPP’ is best seen as an umbrella term. It captures a variety of different operating models, all of which bring different benefits and trade-offs. An effective PPP strategy will acknowledge this reality and pursue partnerships that are most suitable for the challenge at hand.
Cost-free or non-commercial initiatives provide a range of benefits for all stakeholders. The UK’s Industry 100 is one example where the country’s National Cyber Security Centre (NCSC) brings public and private sector talent together to collaborate on nascent security challenges. This allows the government to benefit from a greater diversity of ideas and perspectives.
It has also helped UK government agencies to develop an open and communicative relationship with industry. This is particularly important given that the UK intelligence community has been open about the need to combine the traditional intelligence culture (for instance, classified briefings and closed-door meetings) with an outward-facing response that acknowledges the benefits of collaboration and the variety of stakeholders involved in cyber security.
Likewise, private sector organisations participating in partnerships such as the Industry 100 are able to build not just institutional links with government bodies, but also develop human relationships with those on the opposite side of the public–private line. With trust being a highly valued currency within the industry, the benefit of these connections should never be underestimated.
Despite various benefits, most organisations will only be able to realistically dedicate limited resources to purely voluntary engagements. Paid commercial work is, therefore, on the other side of the PPP carousel. Many governments will have a range of deep commercial relationships that supplement their internal capabilities and are far more formal arrangements. These have more limited (or at least highly focused) community-building potential. Yet, they provide governments with a more significant allocation of resources and technical expertise. This can facilitate more meaningful and in-depth collaboration at an operational level.
Clearly, there are a rich variety of collaboration opportunities for cyber policy teams to choose from. This is why many developed Western states maintain a range of different industry partnership initiatives simultaneously. Here, some of the most exciting developments are occurring through the sharing of cyber threat intelligence.
Forming a Collective Understanding of Intelligence
As private cyber security providers and governments have distinct perspectives into the threat landscape, they can learn from each other.
Government agencies possess unique advantages when researching cyber threats, including: the ability to conduct active cyber espionage operations into adversary networks; access to network traffic on a national (and often international) scale; or the use of human intelligence sources that provide additional enrichment. Government agencies have unparalleled insight into such areas as Russian communications and Chinese procurement programmes, which can increase their understanding of threats facing their country.
Conversely, industry has detailed insight into victims’ networks. Many leading cyber security companies operate on all continents, providing a global vantage point. A significant amount of cyber espionage activity occurs on private sector networks, and this ‘near space’ visibility is a blind spot for government entities. The significant portion of critical infrastructure that is owned and managed by the private sector in the UK also means that industry is inextricably linked to matters of national security.
Cyber security firms’ insight into victim environments is based on the demographics of their customers and the type of services that are provided. An endpoint or email protection provider, for instance, observes a wide and expansive view of the threat landscape. By protecting often millions of endpoints, these organisations broadly understand the malware and threat actors that are active within a particular industry or region. Incident response firms, by contrast, perform in-depth engagements and build a deeper understanding of the attacker lifecycle from start to finish.
The point here is not that any one entity has the best insight, or even that different institutions should necessarily be directly measured against one another. It is instead helpful to see the threat landscape as an area where various organisations – both public and private – simply have different lenses and perspectives. Rather than seeking to loosely share information, forming a collective understanding of intelligence entails a more substantive discussion on the unique perspectives of different parties. From there, participating entities must understand how and where such insight can be shared in a manner that recognises the various sensitivities and security interests involved.
Dynamic Access to Resources
All security functions must operate within the realities of a resource-constrained environment. Maximising the efficiency of cyber security investments is therefore essential.
Outsourcing is often touted as a way to provide governments with access to talent that they would otherwise struggle to retain or justify the expense of on a full-time basis. Whilst this might be true, PPP discussions should not only focus on access to talent alone, given the wider benefits of working with partner organisations.
The tempo of defending networks contains natural peaks and troughs. Much like waiting for a bus, an organisation might have a quiet few months before experiencing a sudden surge of adversary targeting. Rather than employ a full-time team that is waiting around for a potential crisis situation, alternative staffing models are arguably more efficient. For example, an incident response retainer with a specialist firm can provide well-practiced resources, but only when they are actually needed.
Access to talent is also typically just one component of a cyber security service offering. A specialist red, incident response or strategic services team also brings with it institutional knowledge and the ability to reach across its entire organisation’s insight and experience. In areas such as incident response, a specialist provider will develop its own set of tools that improve the quality of an investigation. These toolkits, however, also require costly research and development investment and would simply be inefficient for every organisation to develop internally.
A variety of government departments now either have a cyber security policy purview or must at least defend their network. The potential benefits of industry-provided services should therefore be considered across all of government. Indeed, government departments that are not typically associated with cyber security – whether in education, healthcare or transport – are often those most in need of additional resources.
Industry also benefits from a variety of government resources. The UK’s NCSC provides a wealth of insight for industry on multiple issues, ranging from support for critical national infrastructure providers to actionable advice for the self-employed and small or medium-sized organisations. Industry also directly benefits from the cyber security talent that has been fostered through government-funded education, training and career-pathway programmes.
Government can play an active role in establishing industry standards. For example, the UK’s NCSC set up the Cyber Incident Response scheme to certify companies that can help in the aftermath of a network intrusion. This aligns industry standards with best practices and enables the government to foster a high-quality incident response service across the UK.
Setting standards might not be seen as a traditional partnership per se, but the process involves active discussion between government and industry. It also creates a network of highly competent response providers. Government security bodies enjoy the benefits of building trusted contacts within these organisations and benefit from a list of trusted providers they can turn to and recommend to other parties. In this regard, setting standards should not necessarily be seen as a top-down exercise by government. Instead, it should be viewed as a collaborative practice that involves active stakeholder dialogue and networking.
Policy Recommendation: Establish the Foundations and Develop Partnerships Iteratively
Few would disagree that public–private collaboration is an essential component of cyber security policy. The more interesting question concerns how it can be integrated effectively.
Before launching partnership initiatives, government policy teams must first ensure they have the requisite foundations in place. This includes three essential pillars: being well versed in the different partnership models available; identification of specific areas where collaboration can tangibly improve security outcomes; and a confident understanding of the respective strengths and weaknesses within their public and private sectors. This puts a cyber policy team in a strong position to build meaningful partnerships to address emerging challenges. Pragmatism and an acknowledgement of what different approaches can realistically achieve sits at the heart of this approach.
Private sector collaborators can also play an active role in developing partnerships. This could include active participation in the community, highlighting where their capability can meaningfully contribute, and providing feedback on existing partnership arrangements. Crucially, successful PPPs are never built by one entity alone. They require an active conversation between relevant stakeholders.