Defining success and mapping the road ahead for public-private partnership and critical infrastructure cybersecurity

Sean Atkins is a PhD candidate in security studies and international relations. His research focuses on national defense in cyberspace and cyber statecraft. He is also an active-duty US Air Force officer whose service ranges from national cyber policy development to multiple counterinsurgency operations deployments.\

The recent discovery of the SolarWinds cyber-attack offers yet another example of the significant cyber risk America’s critical infrastructure faces.1 In particular, it raises questions about US cybersecurity policy for critical infrastructure, a policy that is founded on voluntary partnership between government and industry. Despite its importance, however, the government has yet to clearly articulate in strategic terms what its policy aims to achieve.

Defining what “success” looks like can guide the massive public and private efforts in this approach. In its absence, the result has been a policy patchwork, pieced together over time in response to newly discovered vulnerabilities and threats like those of the SolarWinds incident. Strategic direction is essential to get ahead of dynamic security challenges and it appears to be lacking in an area critical to the nation.

On December 10, the Center for International Studies (CIS) brought together MIT’s Internet Policy Research Initiative (IPRI), Cybersecurity at MIT Sloan (CAMS), and CyberPolitics@MIT to host a panel discussion aimed at defining long-term "success".2 The panelists combined deep expertise on this issue derived from practice and policy experience within both industry and government.3 Their distinct (though generally not opposing) ideas about what constitutes “success” in critical infrastructure cybersecurity policy included:

elevating thinking above the mechanics of the problem to develop a more sophisticated strategy that engages the “broader state of affairs”; shifting focus from the technological details to address the economic and behavioral foundations of cyber insecurity; a deeper partnership between government and industry that is more mature in its operation; and stronger and better organized government leadership.

The ensuing discussion outlined a more holistic vision for government-industry partnership to secure the critical functions that US national and economic security relies on.

 

Source: Polisci