To say that the public and private sectors do not always play nice with one another would be a serious understatement—especially when it comes to cybersecurity. Simply put, there is a lack of trust between the worlds of government and private enterprise, and while that credibility gap exists for legitimate reasons, the fact remains that it is a significant impediment to progress. Today’s threat landscape is presenting both private and public organizations with difficult new challenges, but efforts to improve information sharing and other joint measures have thus far failed to gain traction.
This trust gap would be difficult for public and private entities to bridge on their own, but the emergence of new security technology has offered some hope. The rise of security ratings is helping organizations gauge the cyber health of potential partners and vendors, allowing cyber insurance companies to assess risk more accurately, and providing a much-needed intermediary to help build trust between the public and private sectors.
Understanding the Trust Gap
Attackers aren’t the only ones who recognize the value of information—and that is part of the problem. The private sector simply doesn’t trust the public sector not to leak information about cyber incidents, making them reluctant to share data. Conversely, the government is wary of sharing sensitive information with the private sector where it might be misused. It also sometimes finds benefits in holding back information on certain vulnerabilities, rather than immediately notifying those affected, which doesn’t always breed goodwill.
Another key issue is liability. Many, both in government and in business, don’t believe that the liability protections provided by the Cybersecurity Information Sharing Act of 2015 (CISA 2015) go far enough, leaving businesses potentially exposed to legal action if they share information with the government. And while there are those in government who would be willing to address those concerns, the specific protections that businesses are looking for have yet to be fully articulated.
Antitrust and competitive intelligence information also need to be adequately protected. Think of it this way: if the government issues a warning that a specific vendor is cyber insecure, does that qualify as collusion against that vendor? Some businesses would argue yes—and the idea of the government “choosing winners” in any given industry has rarely gone over well. Providing these protections is critical if the government hopes to win the trust of businesses, and without them, information sharing is unlikely to progress in any meaningful way.
There are also business objectives that are at odds with the idea of public-private partnerships. Businesses are motivated to maintain a level of competitive advantage. This means keeping research and statistics secret, even when it comes to cybersecurity vulnerabilities. But these must be set aside—at least to some degree. Information sharing allows organizations to combine their efforts, making the world a safer place. And it is important to remember that intelligence isn’t a zero-sum game: for most organizations, any intelligence they share will be paid back in spades by the information they receive.
Using Security Ratings to Bridge the Gulf
If the lack of trust between public and private organizations is preventing the flow of information between them, it makes sense that an intermediary is needed. Today, both parties are increasingly looking to security ratings to provide the information they need without requiring either to place an undue level of trust in the other. By gathering publicly available information and presenting it in an independently verifiable and easy-to-use manner, security ratings are giving organizations a significant portion of the information they need to make more informed decisions.
The resources of any one organization (or regulatory body) are limited. Consider the Environmental Protection Agency (EPA). One of its primary functions is monitoring water utilities throughout the country, but with tens of thousands of individual utilities to keep an eye on, this can be a daunting task. Asking each utility company to report on its cybersecurity capabilities would be cumbersome, particularly for the many small utilities across the country that lack cybersecurity expertise and rely on antiquated IT. Verifying the results would also be arduous, especially for an agency like the EPA that does not have any particular cybersecurity expertise.
Security ratings allow the information to flow both ways: with the relevant information now available at a glance, the EPA can even alert the utility company if, for example, an open port on an IP address is flagged within the rating platform. By fostering a more collaborative mindset, the proverbial stick usually associated with regulators becomes a much more appealing carrot. Rather than trying to strong-arm organizations into providing them with information, regulators can work with industry to create a safer, more secure environment in which to operate. With time, this increased collaboration will help build stronger bonds of trust, and eventually make even greater levels of cooperation possible.
Security ratings are not a silver bullet. Like a credit rating, which relies on publicly available data to make data-driven inferences about risk, security ratings provide the ability to make decisions even if the data provides less than 100 percent of an organization’s security picture. That represents a significant upgrade over the status quo, which relies on point-in-time information in an environment that changes by the second.
Law enforcement agencies, for example, no longer need to wait for days after a breach to obtain information from organizations while they conduct painstaking log reviews and checking with their lawyers to determine the minimum amount of information necessary to release. Investigators can now have access to specific information immediately through security ratings platforms. Even if that information is only 60 or 70 percent of what they would receive from a company, they are no longer flying blind while waiting for internal data.
An Alternative to the Top-Down Approach
Regulations and mandates can be cumbersome. They require constant monitoring and compliance verification, and the private sector often looks at them as a form of government overreach. But today, there are alternatives. The public sector must take the opportunity to step back and ask what the goal of a new mandate would be, and whether there are other ways to achieve that same goal.
Security ratings can help reduce regulatory burdens while increasing nationwide cybersecurity. Today, most cybersecurity regulatory regimes rely on process questions to make assumptions about an organization’s cybersecurity posture. Do you use multi-factor authentication? Do you limit unsuccessful logon attempts? Do you enforce security configuration settings? All of these are questions about behavior and process, and while they are important questions to ask, they fail to account for the issue at the center of most cyber events: human error. Security ratings allow regulators and cybersecurity professionals to get right to the heart of the matter: what are an organization’s actual vulnerabilities and where are they located?
By gathering and collating data points that can identify specific vulnerabilities in an organization’s cybersecurity posture, ratings allow regulators to work with companies at the technical level, closing open ports and ensuring encryption certificates have not expired.
Minimum standards are still important, but by providing an objective, third-party cybersecurity overview, ratings can give government agencies a better view of security than annual (or more frequent) reporting requirements while also putting the government in a better position to focus their limited resources on those that actually need the attention. It also allows government to share information with companies they may not have been aware of otherwise. In a world where trust can be hard to come by, it’s difficult to overstate how valuable that type of cooperation can be.