Home / Columnists/ Public-Private Partnerships: A case for cyber security in Sri Lanka

Public-Private Partnerships: A case for cyber security in Sri Lanka

Comments / {{hitsCtrl.values.hits}} Views / Tuesday, 3 December 2019 00:00

By Asela Waidyalankara

Cyberattacks are a new and unique type of threat, from compromising power grids in Ukraine to impacting financial institutions in London to leaking confidential health information in Singapore. It impact is global and unprecedented. Governments, enterprises and even citizens are likely to be a target in this new hyper-connected world. 

Due to the novel nature of these threats, former Deputy Secretary of Defence, William J. Lynn wrote in a 2008 statement on the Pentagon’s cybersecurity policy that standard models of deterrence will not apply to cyberspace. “Cyber warfare is like manoeuvre warfare,” he wrote, “in that speed and agility matter most. To stay ahead of pursuers, the United States must constantly adjust and improve its defences.” [1]

Administrative and legislative efforts led by SLCERT in Sri Lanka have emphasised the importance of partnerships between industry and government, as highlighted in the national Cyber Security Policy [2] defending critical infrastructure, promoting initiatives for cybersecurity education, and ensuring the integrity of network infrastructure are some of the areas which public and private sector collaboration could take place. 

This article examines role of the private sector in national cybersecurity policy and analyses the strengths and limitations of cybersecurity Public-Private Partnerships.

Public-Private Partnerships

Public and private sectors can both stand to gain mutually from working together on cybersecurity initiatives. The private sector controls much of the critical infrastructure that is vulnerable to cyberthreats (e.g. telecom networks, financial services systems).

Therefore, many private sector organisations that own such infrastructure already have invested in robust cybersecurity compliances, programs and infrastructure, thus giving them expertise and experience in assessing and dealing with potential cyberthreats. The public sector has different strengths in that it is better positioned to investigate and prosecute cyber criminals and can provide leadership in cross boarder cyber security cooperation.

The source of a cyberattack is often difficult to identify, and government agencies often better positioned to collect foreign intelligence, collaborate with other international agencies, and gain access to critical information regarding potential threats. [3]

Cooperation between Private organisations and governmental agencies like SLCERT on joint cybersecurity initiatives can leverage the unique yet complementary strengths of both sectors. For example, public-private partnerships are especially effective in mitigating financial cybercrime, for the joint cooperation of the two sectors address the interests of consumers, businesses, and the government alike. [4] 

According to the Intelligence and National Security Alliance, the mission of cybersecurity public-private partnerships (PPPs) is three-fold. First, these partnerships must identify and detect behaviours of concern. Second, PPPs must ensure that actors from both sectors comply with the standards and framework of the partnership. Third, and arguably most importantly, PPPs must provide a mechanism for response after a cyber-threat; this entails conducting examinations of an attack and addressing any necessary shortcomings in the current defence system. [5]

Current hesitations to establish Public-Private Partnerships

Although PPPs are perceived to be beneficial for both sectors, most private organisations would be reluctant to establish cybersecurity PPPs. The key hesitation in the private sector to form a public-private partnership concerns issues of trust, control, and disclosure. Regarding trust, organisations often doubt whether they should involve a government agency after a cyberattack, in turn for the government would necessarily have access to the organisation’s private data. 

Moreover, even in the case of a serious breach, organisations might still be reluctant to directly involve the public sector entities if they fear that government involvement would only escalate the severity of the situation and leave it open for more cyberattacks. 

Furthermore, once a private organisations involves a government agency in investigating a cyberattack, the company would lose autonomy over their investigation and threat response. Additionally since the government would not be able to provide all data regarding potential cybercrimes because some information may be classified or confidential, many organisations feel that the information sharing would end up as a one-way relationship. 

Studies have even found that announcing a cybersecurity breach can hurt an organisation’s market value. In one study, breached companies lost an average of 2.1% of their market share within two days of disclosing the breach to the public. [6]

PPP models and recommendations

Through analysis of current PPPs in areas outside of cybersecurity, there are some proposed models of an effective cybersecurity PPPs that would help to mitigate its most apparent limitations. Since private organisations identified a lack of trust as a key hesitation in working with the government as part of a PPP, an effective PPP must immediately establish a level of trust and transparency. 

For example, in order to foster a sense of trust, some PPP’s in the Netherlands have created a secure network of information that the government cannot directly access without the express consent of the companies involved. [7]

Furthermore, there are several proposed recommendations for developing effective cybersecurity PPPs. In a 2016 briefing, the World Economic Forum (WEF) proposed five key recommendations for developing PPPs to specifically fight cybercrime. Among those recommendations were strategies for establishing more real-time information sharing systems, developing a uniform rule of law for cybercrime, and encouraging national law enforcement agencies to more actively engage in cybersecurity PPPs to improve coordination between the public and private sectors. 

Keeping in mind concerns about trust, the World Economic Forum also called both the public and private sector to engage in open discussions about their differing motivations and viewpoints regarding cybersecurity. [8]


Cooperation between the public and private sectors is a bedrock of a national cybersecurity strategy. Cybersecurity PPPs must be based on a foundation of mutual trust, and open dialogue between private organisations and the government entities that can help to perfect some of the reluctance in the private sector. 

By clarifying the regulatory framework surrounding cybersecurity (in the form of the present draft cyber security bill) [9], the government can better soften organisations hesitations to reach out to the government in the event of a cyberattack. 

By addressing these concerns, cybersecurity PPPs can work to develop strategies for risk management and information sharing, and both the private sector and the Government will be better equipped to handle future cyberthreats.

(The writer is a thought leader and advocate of cybersecurity in Sri Lanka.)


[1] https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain

[2] https://www.cert.gov.lk/Downloads/NCSStrategy.pdf

[3] http://www.lawandsecurity.org/wp-content/uploads/2016/08/Cybersecurity.Partnerships-1.pdf

[4] http://www.sciencedirect.com/science/article/pii/S0167404811001040

[5] http://www.insaonline.org/i/d/a/Resources/Addressing_Cyber_Security.aspx

[6] http://www.tandfonline.com/doi/abs/10.1080/10864415.2004.11044320

[7] http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1478&context=jss

[8] http://www3.weforum.org/docs/WEF_Cybercrime_Principles.pdf

[9] https://www.cert.gov.lk/Downloads/Cyber_Security_Bill_2019-05-22_LD_Final_Version.pdf

Share This Article

Facebook Twitter


1. All comments will be moderated by the Daily FT Web Editor.

2. Comments that are abusive, obscene, incendiary, defamatory or irrelevant will not be published.

3. We may remove hyperlinks within comments.

4. Kindly use a genuine email ID and provide your name.

5. Spamming the comments section under different user names may result in being blacklisted.


Today's Columnists

Research and Development: Is it essential for Sri Lanka?

Thursday, 23 January 2020

Not long ago, on the day of our 71st Independence Day celebrations, the Army for the first time in our history paraded a locally built Multi-Barrel rocket launcher. It was never revealed that the Sri Lanka Army had an R&D wing named Center for Resear

Our heritage is Kandyan law; not Roman Dutch law as Rathana Thero thinks

Thursday, 23 January 2020

There were four bills presented by private members to the Parliament on 8 January (one bill is to be presented) which were already advertised in the gazette. They were to repeal the Kandyan Marriage and Divorce Act No. 44 of 1952; to repeal the Musli

Sri Lanka at tipping point ?

Thursday, 23 January 2020

Let’s accept it, Sri Lanka is in trouble with the economy growing at +2.6%, exports declining for the fifth month in a row to register a marginal +1% growth, tourism declining by -20% and S&P credit rating at B with Negative Outlook, which sure ind

The importance of business incubators for emergence of new businesses

Thursday, 23 January 2020

The new Government is poised to enter an arena in the development of entrepreneurship in the country which most of the developed countries have succeeded at the initial stages as well as in continuous efforts. The appointment of the new chairman and

Columnists More