Public-Private Partnership: Bah, Humbug!
"I struggled hard not to use the words 'public-private partnership."
Public-private partnership is the adage du jour - perhaps of the year - in government cybersecurity circles. Sen. Jay Rockefeller, the West Virginia Democrat who in seeking support for his cybersecurity bill, framed a speech Thursday to the Business Software Alliance around the theme of the public-private partnership. The headline of the prepared remarks issued by Rockefeller's office blared: "Chairman Rockefeller Urges Public-Private Collaboration to Address Growing Cyber Threat." Rockefeller concluded his speech by saying:
"I know the American people and the American economy will be far safer and far more prepared if we all come together - public and private - to work in unison to build a new, strong cybersecurity partnership for the 21st century. That is what shared responsibility is all about."
And at last month's RSA 2010 Conference, Homeland Security Secretary Janet Napolitano, Cybersecurity Coordinator Howard Schmidt and FBI Director Robert Mueller all emphasized the private-public partnership in their keynote addresses. Here, for example, is what Napolitano said:
"Together we can find better ways to safeguard our systems and stop those who would do us harm. For ultimately, we face the same threat. We both serve the American people. And we must continue to do everything we can, together, to minimize these attacks."
But to Stiennon's ears, it's all political rhetoric.
"I'm afraid it's just talk. It sound so good when you say it. It's to ameliorate the risk of the feeling of threats of industry when they hear the government talking that way."
Stiennon says the government should leave business alone and worry about its own IT security. Any "partnership" should involve the private sector helping the government, he says, not vice versa, adding:
"The issue here is government's own security stance. Certainly, they should get all the help they can from the private sector, but I don't think anybody is waiting for the government to knock on government door, saying, 'We're from the government, and we're here to help you.'"
Stiennon contends it's been the private sector, not government, to identify new vulnerabilities.
"The government is most closed-mouth about a rising threat. Presumably they're doing research, but there are never any new vulnerabilities discovered by these researchers; there are never any threat alerts, but there is a rising amount of traffic coming from China or whatever."It's been up to private sector to do that. It's no surprise that the private sector has thousands of security researchers who have been monitoring the developments of malware, and monitoring network activity. And, they'll be the ones that tell us that a partnership has to happen, but it will be money. flowing from government to private sector, and information from the private sector to the government.
An inference taken from Stiennon's remarks is that the tens of thousands of government cybersecurity specialists don't have much to offer to the private sector in defending their IT systems. That's preposterous.
If Stiennon is worried that government will dictate to business how to protect privately run IT infrastructures, it's something that won't happen. And, if the government ends up imposing some cybersecurity regulation, it's likely to come about with close collaboration - or should I say partnership - between government and the private sector.