Public-Private Partnerships

Background

Governments, businesses, and consumers face a cybersecurity threat landscape that is constantly evolving with each new technology that is brought to market at a faster pace than ever before. The sharp rise of internet-enabled devices in government, industry, and the home exacerbate this already difficult challenge. The challenges we face are too significant for one company or entity to address on its own. We need collaboration, and one effective model of collaboration is public-private partnerships.

The Framework for Improving Critical Infrastructure Cybersecurity, known as the NIST Cybersecurity Framework, is widely acknowledged as a highly successful model of public-private collaboration that is being adopted by government agencies and critical infrastructure companies. The NIST approach succeeded because policymakers and the private sector defined a real need, improving the security of critical infrastructures; the process was open, NIST listened to the private sector, and built trust with key stakeholders; and the final product, a flexible framework, was based on voluntary collaboration, not rigid regulations. Policymakers should keep in mind the recent successes of the framework as a positive way to get to their desired outcome.

Importance to McAfee

McAfee believes that collaboration in cybersecurity is the best way to defeat cyberattackers and secure our networks, data, infrastructure, and even lives. We believe that strong, voluntary public-private partnerships are the best path forward to solve the grand cybersecurity challenges we face. These partnerships promote trust and innovation and are far better suited to produce long-term success than overly restrictive and trust-eroding government mandates and regulations.

McAfee has been active in public-private partnerships managed by the Department of Homeland Security (DHS), NIST, and other agencies for more than 10 years. We have leadership roles in the President’s National Security Telecommunications Advisory Committee (NSTAC), Information Technology Sector Coordinating Council, Information Technology-Information Sharing and Analysis Center, National Cyber Security Alliance, and National Cybersecurity Center of Excellence (NCCoE).

We also believe that technology enabled with strong collaboration can be deployed rapidly to security platforms, so they can communicate with each other over open communication protocols. Such technology can be guided by the strategic intellect that only humans can provide. Thus, the only way to have a winning cybersecurity strategy is to bring technology, the cybersecurity industry, and the efforts between government and the private sector together. This is what real collaboration is all about.

Policy recommendations

Policymakers should be wary of imposing cybersecurity mandates and regulations and should instead support voluntary collaboration and use of industry supported standards and best practices. Industry should support accountability on cybersecurity and should dedicate increased budgets and increased managerial and organizational focus on cybersecurity.

Policymakers have done an admirable job of using the incentive of liability protections, and relaxing antitrust rules, to help incent broad-based information sharing between the private sector and the government, and among private sector entities. However, too few companies are actively sharing threat information with the government and among themselves. This restricts the realization of our goal: a high-functioning ecosystem of information sharing that enables the public and private sectors to compete with global networks of sophisticated hackers.

Federal agencies should declassify larger categories of threat data and actively share them with the private sector. DHS should issue many more security clearances to qualified company representatives to enable access to the most sensitive, and potentially most valuable, pieces or classes of threat data. The administration should pass into law the Cyber Information Sharing Tax Credit Act, which would incentivize businesses of all sizes to join sector-specific information sharing organizations, known as Information Sharing and Analysis Centers (ISACs), by providing refundable tax credits for all costs associated with joining ISACs.