Public-Private Partnerships: A case for cyber security in Sri Lanka

By Asela Waidyalankara

Cyberattacks are a new and unique type of threat, from compromising power grids in Ukraine to impacting financial institutions in London to leaking confidential health information in Singapore. It impact is global and unprecedented. Governments, enterprises and even citizens are likely to be a target in this new hyper-connected world. 

Due to the novel nature of these threats, former Deputy Secretary of Defence, William J. Lynn wrote in a 2008 statement on the Pentagon’s cybersecurity policy that standard models of deterrence will not apply to cyberspace. “Cyber warfare is like manoeuvre warfare,” he wrote, “in that speed and agility matter most. To stay ahead of pursuers, the United States must constantly adjust and improve its defences.” [1]

Administrative and legislative efforts led by SLCERT in Sri Lanka have emphasised the importance of partnerships between industry and government, as highlighted in the national Cyber Security Policy [2] defending critical infrastructure, promoting initiatives for cybersecurity education, and ensuring the integrity of network infrastructure are some of the areas which public and private sector collaboration could take place. 

This article examines role of the private sector in national cybersecurity policy and analyses the strengths and limitations of cybersecurity Public-Private Partnerships.

Public-Private Partnerships

Public and private sectors can both stand to gain mutually from working together on cybersecurity initiatives. The private sector controls much of the critical infrastructure that is vulnerable to cyberthreats (e.g. telecom networks, financial services systems).

Therefore, many private sector organisations that own such infrastructure already have invested in robust cybersecurity compliances, programs and infrastructure, thus giving them expertise and experience in assessing and dealing with potential cyberthreats. The public sector has different strengths in that it is better positioned to investigate and prosecute cyber criminals and can provide leadership in cross boarder cyber security cooperation.

The source of a cyberattack is often difficult to identify, and government agencies often better positioned to collect foreign intelligence, collaborate with other international agencies, and gain access to critical information regarding potential threats. [3]

Cooperation between Private organisations and governmental agencies like SLCERT on joint cybersecurity initiatives can leverage the unique yet complementary strengths of both sectors. For example, public-private partnerships are especially effective in mitigating financial cybercrime, for the joint cooperation of the two sectors address the interests of consumers, businesses, and the government alike. [4] 

According to the Intelligence and National Security Alliance, the mission of cybersecurity public-private partnerships (PPPs) is three-fold. First, these partnerships must identify and detect behaviours of concern. Second, PPPs must ensure that actors from both sectors comply with the standards and framework of the partnership. Third, and arguably most importantly, PPPs must provide a mechanism for response after a cyber-threat; this entails conducting examinations of an attack and addressing any necessary shortcomings in the current defence system. [5]

Current hesitations to establish Public-Private Partnerships

Although PPPs are perceived to be beneficial for both sectors, most private organisations would be reluctant to establish cybersecurity PPPs. The key hesitation in the private sector to form a public-private partnership concerns issues of trust, control, and disclosure. Regarding trust, organisations often doubt whether they should involve a government agency after a cyberattack, in turn for the government would necessarily have access to the organisation’s private data. 

Moreover, even in the case of a serious breach, organisations might still be reluctant to directly involve the public sector entities if they fear that government involvement would only escalate the severity of the situation and leave it open for more cyberattacks. 

Furthermore, once a private organisations involves a government agency in investigating a cyberattack, the company would lose autonomy over their investigation and threat response. Additionally since the government would not be able to provide all data regarding potential cybercrimes because some information may be classified or confidential, many organisations feel that the information sharing would end up as a one-way relationship. 

Studies have even found that announcing a cybersecurity breach can hurt an organisation’s market value. In one study, breached companies lost an average of 2.1% of their market share within two days of disclosing the breach to the public. [6]

PPP models and recommendations

Through analysis of current PPPs in areas outside of cybersecurity, there are some proposed models of an effective cybersecurity PPPs that would help to mitigate its most apparent limitations. Since private organisations identified a lack of trust as a key hesitation in working with the government as part of a PPP, an effective PPP must immediately establish a level of trust and transparency. 

For example, in order to foster a sense of trust, some PPP’s in the Netherlands have created a secure network of information that the government cannot directly access without the express consent of the companies involved. [7]

Furthermore, there are several proposed recommendations for developing effective cybersecurity PPPs. In a 2016 briefing, the World Economic Forum (WEF) proposed five key recommendations for developing PPPs to specifically fight cybercrime. Among those recommendations were strategies for establishing more real-time information sharing systems, developing a uniform rule of law for cybercrime, and encouraging national law enforcement agencies to more actively engage in cybersecurity PPPs to improve coordination between the public and private sectors. 

Keeping in mind concerns about trust, the World Economic Forum also called both the public and private sector to engage in open discussions about their differing motivations and viewpoints regarding cybersecurity. [8]

Conclusion 

Cooperation between the public and private sectors is a bedrock of a national cybersecurity strategy. Cybersecurity PPPs must be based on a foundation of mutual trust, and open dialogue between private organisations and the government entities that can help to perfect some of the reluctance in the private sector. 

By clarifying the regulatory framework surrounding cybersecurity (in the form of the present draft cyber security bill) [9], the government can better soften organisations hesitations to reach out to the government in the event of a cyberattack. 

By addressing these concerns, cybersecurity PPPs can work to develop strategies for risk management and information sharing, and both the private sector and the Government will be better equipped to handle future cyberthreats.

(The writer is a thought leader and advocate of cybersecurity in Sri Lanka.)

References

[1] https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain

[2] https://www.cert.gov.lk/Downloads/NCSStrategy.pdf

[3] http://www.lawandsecurity.org/wp-content/uploads/2016/08/Cybersecurity.Partnerships-1.pdf

[4] http://www.sciencedirect.com/science/article/pii/S0167404811001040

[5] http://www.insaonline.org/i/d/a/Resources/Addressing_Cyber_Security.aspx

[6] http://www.tandfonline.com/doi/abs/10.1080/10864415.2004.11044320

[7] http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1478&context=jss

[8] http://www3.weforum.org/docs/WEF_Cybercrime_Principles.pdf

[9] https://www.cert.gov.lk/Downloads/Cyber_Security_Bill_2019-05-22_LD_Final_Version.pdf