With the specter of both over-reaching cybersecurity legislation and a Presidential executive order that would expand the authority of federal agencies looming, business leaders have proposed a strategy that would vastly increase the level of threat information sharing between the public and private sectors with the hope that the conciliatory approach will be enough to preclude government actions that would create a "top-down regulatory approach" to cybersecurity.
The Business Roundtable (BRT), an association of chief executive officers of leading U.S. companies, this week released a report titled More Intelligent, More Effective Cybersecurity Protection which attempts to lay the groundwork for better public/private sector collaboration on information security issues.
"Formidable criminals are systematically stealing intellectual property through cyber theft. Even more dangerous adversaries are developing tools and capabilities to disrupt critical services that support the world’s economy, security and public safety. Shared threats of this magnitude require unprecedented levels of public-private collaboration to successfully defend against them," the report states.
Key to the BRT's proposal is avoiding legislative and regulatory mandates that the organization believes would "misdirect scarce public and private-sector resources to compliance-based, check-the-box models," and diminish the level of agility required to adapt to emerging threats.
"Ultimately... compliance-based solutions would fail to create an adaptive and collaborative structure that would allow the public and private sectors to advance risk management models capable of managing cybersecurity threats as they continue to evolve," the report asserts.
The BRT's proposal includes three key elements:
- Information Sharing: Investing in the infrastructure necessary to receive shared threat information
- Threat-Informed Risk Management: Developing the capabilities required to integrate cybersecurity threat and risk information into CEO risk management
- CEO Commitments to Cybersecurity: Recommending that boards of directors, as part of their risk oversight functions, continue to periodically review management’s business resiliency plans, including cybersecurity- and oversee-related risk assessment and risk management processes
The group believes that rigid regulatory and compliance driven edicts would be inadequate in addressing the dynamic nature of threats that are evolving as quickly as the new technologies they seek to exploit, and that the focus should be on developing an effective intelligence sharing platform that also protects the sanctity of the private sector.
“When you think about cybersecurity, it’s less about physical security and law enforcement. It’s probably more akin to intelligence and cyberespionage, so the flexibility and responsiveness in this space is going to be very essential to countering what are very rapidly evolving threats. The missing piece of this is really robust, two-way information sharing that has the appropriate legal and privacy protections between business and government," said MasterCard's Mike Manchisi.
The BRT says that they are committed to working with the White House, federal agencies, and Congress to nurture strategies to mitigate "sophisticated cybersecurity risks" by providing companies with access to the information they need to develop "more precise risk assessments" and utilize limited resources more effectively. Whether or not anyone in Washington will hear the message from the private sector remains to be seen.