Cybercreeps and Cybercrats (Part 2)
Part 2 – Working with the (Cyber) Man
Homeland security’s broad take on cybersecurity (mentioned in part 1) may be a little expansive, but that only highlights the fact that it is an area of IT that’s uniquely engaged with the tools of the state. Government agencies have the data and the intelligence to assess the threats and can tell us how best to protect ourselves against them; business can contribute to that data and help formulate achievable standards. You may have gotten a guffaw with the old line “I’m from the <your favorite government agency> and I’m here to help you” but with cyber threats, it might just be true.
On the one hand, while we have our own views about what’s an appropriate level of security, we don’t always get to choose for ourselves. Peter Beshar, writing in Fortune, says “It is simply not possible at this time to accommodate the proliferation of devices and applications necessary to meet the demands of consumers in the new economy while maintaining impenetrable security.” We have to make strategic decisions about security systems and processes considering how best to protect the business without jeopardizing the bottom line; but these decisions are often taken out of our hands. In any business there are layers of regulators: the GAAP-driven auditors, securities regulators if you’re publicly traded, industry bodies, and so on. Sometimes both state and national bodies and even international organizations claim purview. All expect some level of compliance and feel free to demand information or to tell us why we can’t do what we’re doing, and dealing with them all takes resources. Managing your cybersecurity adds yet another layer. It’s hard to remain well-disposed towards the public sector while trying to stay afloat atop this rising tide of regulation.
Government agencies like National Institute of Standards and Technology develop standards and frameworks that have a way of becoming de jure requirements. For the project I’m working on now I’m attempting to engage with the California Department of Motor Vehicles to obtain driver’s motor vehicle records (MVRs) through a web service. California drivers will be pleased to know their DMV is taking it’s responsibility for the privacy of their records very seriously. I’m currently re-drafting responses to a twenty-five page questionnaire in which I detail how we comply with each and every one of the NIST Recommended Security Controls. I have enormous respect for the work that NIST does, but one thing I’m sure they’ve never done is sold insurance. Left to themselves, the good folks at NIST with their Cybersecurity Framework, or their pals at ISO with their 27000 family of standards, or their even nerdier neighbours at the International Society of Automation (ISA) who would love to tell you about ISA/IEC 62443, they – or their bureaucratic friends who get to actually impose and enforce the rules – will have us so busy keeping the criminals out we won’t have any time to bring the customers in.
These costs are easier to absorb if you’re an established player, but if you’re trying to get into a market, security restrictions can be a real barrier to entry. Gartner claims that global spending on cybersecurity is now at $75B “…driven by government initiatives, increased legislation and high-profile data breaches.” In my MVR example, the DMV is presuming that our integration could compromise the entire database; but my model only grabs a record at a time through an already-approved third party. They’re right to consider the possibility that opening any channel could provide access to all their records, but at the same time they should consider the circumstances that make that unlikely. The fact is that if you’re a small company with a modest number of users, some of the risks are correspondingly reduced. Risk analysis weighs likelihood and severity together; but at the risk of generalizing, it looks like bureaucrats will weigh potential impact heavily without due consideration for likelihood – and it’s clearly too much to ask that they include in their assessment how burdensome their demands may be for businesses. These costs should not be disproportionately borne by the startups and SMEs who don’t represent the same kind of risks as do, say, Citigroup, Anthem or Sony.
So on the one hand it can feel like the government is only making demands with no thought for the costs. The current Apple vs. FBI contretemps reinforces the “we vs. they” motif. But we need to pull back and look at the bigger picture, because Cybersecurity is one area where public and private sectors truly can and ought to work together. Making the case for judicious application of security regulations (and perhaps easing the pain of DMV integrations as a consequence) is just one reason. Here are a few more.
Public Consultation
They say we get the government we deserve. Perhaps a better way to put it is to say that we are the government. Elected representatives in our democratic system ensure we have answerable institutions to provide needed regulation; but developing standards is one area where we can get directly involved and provide expertise that no civil servant can. Regulators and standards bodies invariably have processes to garner input from the private sector. They form working groups and technical committees, solicit comments from all kinds of stakeholders and have lengthy public reviews. If you think we need to do more than vote to ensure responsible government, encourage your organization to submit a comment letter or volunteer some smart folks to sit on a standards committee.
As an individual, having your company assign you to a standards working group may seem like a career misstep since it’s not very visible to senior managers nor likely to show up in the quarterly report. But you’ll find a whole network of seasoned experts and it looks great on a résumé. I know people who’ve used standards work as the strategic linchpin of the their careers, giving themselves guru credibility within the company or spring-boarding a consulting practice.
Public-Private Partnerships (PPPs)
Whereas standards development is good for long term shaping of the environment, PPPs generate revenue more directly. They have the same objective of accessing experts and including diverse voices, but are also conceived by a government organization to take some of the burden off its budget. And to incent private participation there’s direct support or an opportunity to provide paid services. More than a buzz phrase popular with government bodies, the rules around PPPs are becoming formalized in law. The typical example is an NGO which works with a firm to provide a service in their domain. The NGO can create the opportunity and ensure it’s not exploited to the detriment of their clients, while the private company provides the service, often as a monopoly.
PPPs attempt to leverage market forces in the delivery of public services. Partnerships in cybersecurity make sense because so much IT infrastructure is under private control. PPPs can help to ensure industry has the most complete data and is driving to common standards and approaches, preventing the criminals from exploiting a weak link in the chain.
As one example, there’s Homeland security’s Critical Infrastructure Cyber Community C³ Voluntary Program (the three Cs are Converging, Connecting and Coordinating). Homeland security does have a loose way with definitions, and this PPP sounds a little bit more like a sponsored industry organization. But the overall objective is to take some public funds and private resources and achieve a result that benefit everyone, so let’s give it to them. For another example, the EU, following up on their adoption of the Digital Single Market Strategy (which seeks to reduce regulatory barriers to European cross-border online trade), is proposing a PPP that would assemble experts to conceive and advance a program of innovation in cybersecurity. Public funds will support research that all contributors could then exploit.
Cooperation with Authorities
Plenty has been said about the dispute between Apple and the FBI. I’m happy to let that one play out in the courts. For most of us there’s little risk that complying with a warrant will prop open a backdoor for Big Brother.
I’m not saying we should hand over customer data whenever someone with a government business card asks. We must demand a high bar for when our security apparatus wants to look at confidential company or client data, and be sure those standards are met before opening the kimono. But when the boys in blue show up with their warrant, game’s over. It’s in all our interests that citizens, private or corporate, cooperate.
Unless you’re one of those CISSP folks, you probably find thinking about security an expensive and tedious imposition, a chore at best. So think of working with the government as a way to get someone to do some of the boring stuff for you. Cooperation with the public sector enhances the information available to public policy makers, strengthens overall infrastructure and reinforces the institutions constituted to keep us safe. There may not be a clear line from the expense to revenue but it’s still a good investment.
« Cybercreeps and Cybercrats (Part 1) The Multi-Dimensional Project Mosaic »
