Cybersecurity has long been an underestimated source of danger. Omnipresent in pop culture, the threat was portrayed in such a sensationalized light by Hollywood that its complexity became unrelatable. Cinema effectively confined computer security to the future where only tech geniuses, elite hacktivist groups and criminal masterminds would play a role. However, the reality is that cybersecurity is an existing and recurring threat. The 2018 Scalar Security Study found that 87% of Canadian companies have previously suffered from cyberattacks with at least one successful breach. Similarly, the Hiscox Cyber Readiness Report 2018 further exposed the ineptitude of up to 73% of private and public sector entities across five countries to protect themselves from such attacks.
Most recently, the 2016 US Presidential Election Hack brought cybersecurity to the forefront of American political consciousness. Despite having witnessed a variety of cyberwarfare and government espionage in preceding years – the 2007 cyberattacks on Estonia and a spear phishing attack on members of the Bundenstag in August 2016 being only two examples – the world experienced a fundamental turning point following the US Election hacks. The reality of a foreign government successfully penetrating voter systems and tampering with core democratic institutions resonated globally. Even the United States, the world’s military hegemon, was no longer safe from cyberassaults. Cybersecurity considerations were further legitimized that same year when NATO recognized cyberspace as its fifth domain of operation at the Warsaw Summit. NATO’s Secretary General, Jens Stoltenberg, additionally acknowledged the threat posed by cyberattacks when he warned that they could trigger Article 5 of the North Atlantic Treaty – a response to Russian hacks directed at Ukraine in May 2017.
Intensifying the issue of cybersecurity, global internet usage has also risen steeply in the 21st century, from 738 million in 2000 to 3.2 billion in 2015, and its number is growing. As the general public becomes more active in the cyberworld, the need for governments to protect its citizens and private institutions from criminal activity becomes more urgent. Nevertheless, the public sector’s evident lack of expertise in the field raises the public policy question: what role should the government have in spearheading cybersecurity? Traditionally, governments have always had a monopoly over security issues. Nonetheless, it is clear that when securitization requires cutting-edge technology and constant innovation, a more pragmatic course of action is to divide responsibility between the public sector and the arguably more efficient private sector.
Industry has dealt with computer security vigorously in the past. From the 2014 Sony Pictures hack to the 2017 WannaCry ransomware attack, the private sector has developed state-of-the-art encryption systems to protect its data from cyberthreats. In 2016, eight of the largest US banks formed an information-sharing group to better respond to and apprehend future cyberattacks. Accordingly, the US government began contracting private corporations to produce vanguard software and hardware technology for the public sector, as well as execute select missions under the Bush administration.
The national security of any country is today intertwined in both government and industry. A competition between the two over cybersecurity is therefore not only futile and inefficient, but can also be costly to a state – both in time and money. Several government and military security breaches have resulted in significant and valuable losses of intelligence. That being said, a cohesive and holistic framework on the basis of comparative advantage whereby private companies share their optimal data and public institutions handle the macro-level analysis would result in the highest standard of security.
However, this ideal is blemished by the lack of trust and cooperation between the two sectors. On the one hand, a company sees no incentive in collaborating with the government because its main responsibility is to its shareholders. Working with the public sector would only run the risk of having information leaked and it negatively affecting the stock market. On the other hand, the public sector views industry as exclusively profit-driven. Dave Weinstein, a Cybersecurity Policy Fellow at the New America Foundation, further questioned the notion that companies always possess the “best data”. He argued that although the private sector is more technologically competitive, their data is only based on instant response and is solely centred on their network. Conversely to government intelligence, private sector data is not inclusive of the entire threat landscape nor is it inclusive of all different sources.
Consequently, a symbiotic relationship needs to be developed for the better of both parties, as well as for civil society and security. Although some infrastructure already exists, such as the Information Sharing and Analysis Center, a non-profit organization that facilitates cross-sector information sharing, an incentive-driven mechanism is lacking. In fact, the Center for Strategic and International Studies found that corporations’ primary obstacle to information-sharing is cost. Moreover, the Cyberspace Policy Review recommended numerous economic inducements governments should explore to act as compliance mechanisms, such as liability considerations, indemnification, and tax incentives. These recommendations were partially adopted by Congress when it passed the Cybersecurity Information Sharing Act in 2015. The new legislation, however, only offered liability protection without any financial incentive. Meanwhile, the Government of Canada also elaborated its Cyber Security Strategy in 2015 when it introduced legislative amendments aiming to strengthen collective cyberresiliency. Yet, rather than creating incentive-driven mechanisms as the recommendations indicated, the amendments only increased the government’s budget to merely “assist” the private sector in combatting cyberattacks. It also imposed strict obligations on private entities to report breaches in security. Subsequently, the amendments reinforced the notion of government as paternalistic instead of incentivizing companies to willingly collaborate with the public sector.
A private-public partnership is oftentimes bastardized to a zero-sum game. Yet, in this case, the two sectors stand to benefit from working together to develop superior intelligence since both are vulnerable to the same threat. The gain of national security would far outweigh the loss of supposed profit, information or even stock price. Although some progress has been made, such a partnership must continue to be fuelled by governments to overcome mutual distrust and most importantly incentivize cooperation.
Disclaimer: Any views or opinions expressed in articles are solely those of the authors
and do not necessarily represent the views of the NATO Association of Canada.