Shared Responsibility in Cybersecurity

By George Platsis & Paul Ferrillo

Originally published on Levick.com, April 4, 2017

What is the Private Sector’s Cybersecurity Role?

The safety of the Internet is at stake. A relatively obvious comment, but one which is neither unfounded, nor wrapped up in the auto-hysteria, as so many cybersecurity conversations are today. Why do we say this? A simple reason really: because the Internet is no longer used as it was originally designed — a benign information-sharing tool, used primarily for knowledge and research, by a select group users. Today, but also arguably for the last 15 or so years, the Internet is a “wild west” with more and more actors entering it every day. Intent of these actors may be fairly obvious — we want to order something online and have it shipped to our door — or it may be shrouded in controversy and obfuscation, making attribution a seemingly impossible task.

Despite this environment, we still must go on about our daily lives, unless of course we are willing to change our daily lives, which would almost certainly result in a lower standard of living.

The general increase in living standard we have experienced over the last two centuries, especially in the West, is in large part connected to private industry’s success. The success private industry enjoys is a function of a stable and secure environment. If we could for a moment remove ourselves from today’s realities and go back to the pre-Internet days, the theory that private industry would have been successful if the security environment was at a constant level of unrest and instability is unreasonable.

If we limit our conversation to part of North America, the private sectors of both the United States and Canada have enjoyed much success in their respective private sectors because — outside of the War of 1812 — the two countries have enjoyed peace and stability between each other. Similarly, England during the 18th and 19th Centuries was able to become the global empire that it was because it was not connected to, and mired by, the constant strife of continental Europe, namely the long string of nation-state wars between the French, Prussians, Austro-Hungarians, and other European tribes.

We must qualify our comments: the United States, Canada, and England all suffered from their own internal social ills and were far from perfect — as can be said of all today — but none of them, during their ascendency, we caught up in a constant state of battle against some external actor encroaching on their territory. This distinction matters, because if the reverse were true — as it was on continental Europe — there would be a necessary shift of state resources to defend the borders (ranging from taxes, to manpower, to innovation — you name it).

As a result, the private sector had an individual interest to maintain peace and stability so that the private sector could thrive. Implicitly or explicitly, the public and private sectors shared responsibility, which linked the security of the state to the well-being of the economy, with the reciprocal remaining true, that a well-functioning economy contributed to the security of the state.

Fast forward to today and the following question often gets asked: does private industry have an individual responsibility to protect national security interests, specifically by implementing good cybersecurity controls imposed by reasonable government regulation? This question is loaded with ideology, which we unfortunately believe takes a very legitimate question to the realm of political partisanship, hurting both the security of the state and the ability of the private sector to thrive.

Therefore, we reframe the question as follows: how can the private sector not have shared responsibility, given the government’s parallel responsibility to keep users safe from a cyberattack?

Read the rest on Levick.com