“Every generation gets there chance to lose the country. Don’t know when it will happen, but when it does don’t let us down. Only by cooperating between the sectors will we keep this country strong” Mark Graff, Chief Information Security Officer (NASDAQ-OMX)’s Dad
On 30-31 July, members of the TIDES team attended the Department of Homeland Security, FEMA, and NORTHCOM sponsored, “2013 Building Resilience through Public-Private Partnerships Conference.” Attended by people from all over the federal, state, and local governments, NGOs, private companies, and citizens, this conference explored ways to incorporate public-private partnerships to address the physical and digital infrastructures as it relates to disasters and development.
On the second day, the theme of interest was Cyber Security. Mark Graff, Chief Information Security Officer (NASDAQ-OMX) spoke of the challenges facing cyber in financial markets. He said that there are a few ways forward to combat the cyber threat.
· Information sharing– The USG try to get info to private sector, but often they can’t be specific enough for where they will attack. If they are looking for a needle in a haystack, it would be helpful to at least know which haystack. Echoed multiple times at this event, companies would like to understand which vendors are reliable and which are not.
· Regulations and standards– Need standards that focus on results and preparation, but is not too specific.
· Supply Chain Management– Need standards on supply companies for security, and need to find ways to disclose who may be risky suppliers such as companies who are backed by foreign intelligence services.
We are at a turning point in cyber security. There is an attribution problem because one is unable to verify where the actor is using that IP address. We need to do a better job of finding malicious actors working in cyberspace. We need to find a balance between anonymity, privacy, and security. Additionally, cyber-attacks are currently one-way. We need to find ways for organizations to maintain an active defense, a concept to be developed whereby businesses don’t need to be completely passive against attacks. Why do we have to act like punching bags? What can we do to them that are legal? Thirdly, we need to move battle outside of enterprises, company websites and internal systems. Finally, private organizations often find themselves in an advisory vacuum because they are not getting advise on what to do and who’s trying to hurt them. Private organizations need real time cyber alerts for the protection of critical infrastructure, national economy, & citizens. Good models for this interaction is the National Weather Service or the Center for Disease Control.
The follow on panel discussed Enterprise Resiliency (Cyber physical/virtual) and the importance of partnerships through the lens of Hurricane Sandy. Hurricane Sandy reinforced the need to revisit assumptions, the importance of dynamic awareness, and looked at ways to maintain physical and cyber security during a disaster. Public-private partnerships can assist by running table-top exercises that combine physical and cyber implications, look into Internet detached modes of communication, and let people know about cyber threats, vulnerabilities, and how to combat them.
Next, the panel, Public Private Partnerships to Enhance Critical Infrastructure Security and Resiliency, looked at recommendations for enhancing critical infrastructure partnerships. Acting Undersecretary Suzanne Spaulding (National Protection and Programs Director, DHS), spoke of the need to get out of mindset that physical and cyber threats are separate, and we need to focus more on the consequences (not just the threat and vulnerability). She also stressed that as much as possible, unclassified data should be the primary form of communication to maximize information sharing among involved parties. When asked how we can move toward a collaborative effort for deterrence, importance of international framework and penalization, the group said, the nature of security is that people don’t want to share it. We must look at the different norms of people understanding of a crime and differing values of data, trust and goals. Then we must manage expectations in information sharing. An important take-away to this panel is the security is not optional – no small business is small enough to ignore it.
In the Panel: Emergency Ops Centers- Reinventing Public Safety And Security Through Technology, discussed the Baltimore CitiWatch Program, Detrioit’s Project Lighthouse and Washington D.C. police strategy as best practices for sustaining effective PPP in emergency operations centers. They highlighted that any partnership requires a lot of trust, PPP as a force multiplier, the importance of partnering with subject matter experts, outlining clear objectives. They also pointed out that not all PPPs need to be indefinite, and an end date to a partnership can strengthen a group resolve to accomplish a goal or set of tasks. “I don’t need another partner, another teammate.”
To continue the progress do partnerships generalize into types of models to determine what model to use when. DHS has a number of group templates that people can reference. There are also training programs for PPP with USAID, the Forest Service, State Department, and FEMA.
The Way Forward. National levels need to distill best practices and cost cutting issues, issue laws and regulations that are not too specific to be able to change with the changing times and requirements, and build trust over time. All partnerships should have (1) a clear set of goals, outcomes, and milestones, (2) an understanding of interests at play, (3) robust communication, (4) leadership involvement, (5) appropriate membership, and (6) trust.