Should Government and the Private Sector Cooperate In Cybersecurity?

The public was offended when NSA coopted RSA’s encryption products and we were disappointed when some social media firms shared their customer’s private data with government, other firms, and law enforcement.  It’s not acceptable for government and industry to cooperate against the public at large, but when we face genuine national security threats, most of us welcome private sector cooperation with government.

National security threats are easy to find.  Vulnerability of the US critical infrastructure to Chinese hacker attacks has been reported recently.  Cyber-attacks on large US banks last summer were thought to originate from Russia.  The attacks left banks’ computers waiting for further instructions from Russia  — a retaliatory threat against sanctions on Russia’s Ukrainian mischief.  A few years earlier, Iran mounted a half-hearted effective attack on major US banks.  If an attack in anger from China, Iran or Russia were aimed at the US electric or financial infrastructure, it could create catastrophic damage for US citizens.

Nation-states are the most capable, but not the most common cyber-criminals.  Repeated physical attacks on parts of the electrical grid in California were video-recorded and reported earlier this year.  These physical grid attacks are likely the work of domestic terrorists or criminals, as are the more than 500 bank cyberattacks per month.

When a nation-state or individual threatens or attacks US critical infrastructure facilities, it is a risk to public safety.  That menace tees the much demagogued question of should we tolerate any loss of privacy/freedom in return for improved security.  The answer is not binary for most people because the freedom-loss to safety-gain tradeoff matters a great deal.   A related question is whether a risk to the public’s safety triggers an obligation of cooperation (e.g., sensitive information exchange) between the US government and critical infrastructure operators.

In hasty government-infrastructure operator meetings in the days after the September 11, 2001 attack (911), a cooperation obligation was discussed and acknowledged.  Full throttle cooperation allowed for recovery of the communications and financial trading that had been in shambles about 100 hours earlier.  While some civil libertarians will disagree, most Americans applauded the results and means.   In the years following, a cottage industry of critical infrastructure protection and cooperation organizations evolved for electricity, communications, water and fuel, roads, ports and bridges, health care, and the financial system.

Thirteen years after 911, there is quiet but active cooperation between firms operating critical infrastructures and sectors of government that are focused on security.  State and local government agencies are linked in for relevant layers of the information exchange.  While big banks are ostensibly being set adrift by the FRB and SEC, critical infrastructures are being treated appropriately as “too important to fail.”

Some of the government-industry cooperation is at a technical level, such as pinpointing the control center for and locations of bot-nets, or arranging loaned repair crews and technical equipment, or reporting the confidential details of attacks on credit card databases.  Mutual-aid arrangements among infrastructure operators have been standard for decades with the full knowledge of regulators and elected representatives.  Law enforcement still interacts through court orders that permit wiretaps, but the legal channels for more complex topics that authorize national security agencies sifting for terrorists are murky. Even less clear is the degree of sharing between government and targeted infrastructure operators.  For good reasons, the opacity surrounding most cooperative agreements is intentional.

Some people are uncomfortable when cooperation omits full public reporting on all the gritty details, but full disclosure would hobble infrastructure protection.  For example, operators will share some competitive information with government, but will not share it with competing operators, so it cannot be made public.  Terrorist or criminal identities must sometimes be shared with an infrastructure operator in order to aid in blocking their actions, and locating them for capture.  But that personal information need not be published until an appropriate time in court proceedings.  Good judgment matters.  The risk of improper or premature disclosures is more likely to come from camera-seeking politicians than it is from security professionals in critical infrastructures and government.

Alan Daley is a retired businessman who writes for The American Consumer Institute Center for Citizen Research