Public Private Partnerships in Cybersecurity

Living in DC has accorded me a number of privileges. Chief among them is the proximity to government offices as well as many NGOs. I am literally walking distance away from their offices. As a result, I have attended a number of press conferences and panel discussions led by current and former members of the government as well as the intelligence community. One recurring theme in the recent discussions is the importance of public private partnerships (PPP) in preventing a repeat of the Sony hacking incident.

The argument is that PPPs allow for greater information sharing thus reducing information asymmetry between the private and public sectors. It has been suggested that everything from malware signatures to attack attempts could be shared. The idea is that the aggregated data can be analysed for trends and patterns which can then help companies better prepare their defenses against similar attacks.

My opinion on the matter is that PPPs will not work out, at least not without major changes to regulations. The success of a PPP depends largely on one single value; honesty. In this particular case, neither party has the incentive to put all his cards on the table.

Lets first take a look from the government's perspective. It is no secret that governments stockpile 0 days. It is crucial ammunition that provides them with an alternative to conventional warfare. Case in point, Stuxnet was able to cripple Iran's nuclear programme, remain undetected for years, and not divulge the identity of its creator, something that conventional warfare or diplomacy would be unable to achieve. Even if full-blown war is unavoidable, 0 days can serve as a force multiplier. Imagine being able to disrupt the utilities and infrastructure of the target country even before the first boots hit the ground. The government would never be willing to share such information with the private sector.

From the private sector's perspective, the most important driver is profit. Once the company reports the crime and police have started investigations, the company has loss all control over the chain of event and the media circus that ensues may be even more detrimental to the company than the attack itself. Just look at the share price of Sony after the incident. In addition, equipment may be confiscated for evidential purposes which may affect day-to-day business operations. Lastly, the investigation process might uncover details such as the non-compliance to certain regulations and the company might even be liable for prosecution. It is therefore in the company's best interest to sweep it under the carpet and absorb the losses.

Unless there are indemnity and certain privacy clauses worked into regulation, it is unlikely that PPPs will work out.