Featured Research

from universities, journals, and other organizations

To deter cyberattacks, build a public-private partnership

Date:
August 25, 2014
Source:
University of Illinois at Urbana-Champaign
Summary:
The best way to combat cyberattacks may be a joint public-private partnership between government and business, says a new paper. Cybersecurity is a big deal, and the protection of critical network infrastructure is a matter of national security," said one expert. "If nothing else, cyberattacks are very expensive, costing the global economy almost a half-trillion dollars per year, according to some estimates. For either of those reasons alone it should be given more attention."

Cyberattacks loom as an increasingly dire threat to privacy, national security and the global economy, and the best way to blunt their impact may be a public-private partnership between government and business, researchers say. But the time to act is now, rather than in the wake of a crisis, says a University of Illinois expert in law and technology.

Related Articles


According to a study by Jay Kesan, the H. Ross and Helen Workman Research Scholar at the College of Law, an information-sharing framework is necessary to combat cybersecurity threats.

"Cybersecurity is a big deal, and the protection of critical network infrastructure is a matter of national security," said Kesan, who directs the Program in Intellectual Property and Technology Law at Illinois. "If nothing else, cyberattacks are very expensive, costing the global economy almost a half-trillion dollars per year, according to some estimates. For either of those reasons alone it should be given more attention."

Meaningfully improving cybersecurity and ensuring the resilience of systems will require cooperation between members of the private sector and the government, according to the paper. To that end, Kesan and co-author Carol M. Hayes, a research associate with U. of I. College of Law, propose a framework for the sharing of information about threats and solutions that they believe reconciles the competing concerns of privacy and cybersecurity, Kesan said.

"Privacy and cybersecurity are not mutually exclusive, but balancing the two interests may require cooperation and the occasional compromise," Kesan said. "We believe that cybersecurity can be enhanced without creating an Orwellian, Big Brother world, and encourage the development of what we call a 'Circle of Trust' that brings the public and private sectors together to resolve cybersecurity threats more effectively."

The goal is to foster trust between the private and public sectors, he said.

"When the public sector shares information with the private sector, that encourages the private sector to trust the public sector, and vice versa," Kesan said. "Our proposed framework advances this notion of trust even further by allowing both sides to preserve a degree of secrecy -- for example, government secrecy for classified military activities and geopolitical information, and private-market secrecy for consumer information, including information about consumers' online activities. It functions to assure participants that overreach by either side will be limited."

Private cybersecurity researchers could benefit from information about intrusion attempts and details about vulnerabilities uncovered by government actors, and government agencies could benefit from up-to-date information about private cybersecurity innovations and the identification of vulnerabilities by private firms, the researchers say.

Although some existing laws would need to be revised to implement the proposal, "both sides could benefit from information sharing about different security measures and their rate of success," Kesan said.

To emphasize the importance of cooperation, the paper presents case studies of two recent government proposals to address cyber threats: the proposed Cyber Intelligence Sharing and Protection Act (CISPA), and the presidential executive order that outlines procedures to establish voluntary cybersecurity standards.

Both proposals would create a way for qualified members of the private sector to obtain security clearances to receive classified cyber-threat information from the government, and CISPA also would allow the private sector to share cyber-threat information with government agencies.

But according to Kesan, efforts to address cyber threats may be hindered if policymakers rely solely on voluntary compliance.

"Both CISPA and the executive order take a voluntary approach, and we argue that a purely voluntary mandate is undesirable in both contexts," Kesan said.

Under each system as currently proposed, participation by private firms is purely voluntary and there is no penalty for non-compliance.

"Voluntary programs can be effective in some situations, but they may ultimately be interpreted only as aspirational guidelines," Kesan said. "In the sensitive context of cybersecurity, aspirational guidelines for security standards could lead to low levels of compliance, the withholding of valuable information by those who do not participate, and a greater risk of overshare by those who do participate."

On the other hand, mandatory programs with effective enforcement mechanisms are likely to result in higher levels of compliance, the authors note. This may be especially true when the program concerns highly complicated subject matter, as previous research has indicated that voluntary compliance may not be as effective in those situations.

"Government intervention with the free market should be minimized, but when cybersecurity issues have implications for national security, some degree of mandatory regulation would be beneficial," Kesan said. "The Obama administration recognized this through the issuance of the executive order on improving critical cybersecurity infrastructure, and Congress has recognized this as well."

Unfortunately, cybersecurity has proved to be a much more partisan issue than it should be, and Congress has not yet come together to take meaningful steps to protect the cyber infrastructure, Kesan said.

"Advocates for private enterprise have discouraged the imposition of meaningful cybersecurity requirements on privately owned critical infrastructure, while advocates for civil liberties and privacy invariably react with alarm to regulation that involves the collection of information about threats," he said.

Both Kesan and Hayes believe it is unlikely that Congress will pass effective cybersecurity legislation in the current session, which is scheduled to end on January 3, 2015. Although the presidential executive order and their proposed cybersecurity framework could provide some helpful first steps, the authors say that it is neither feasible nor desirable to rely solely on executive power to shore up the cyber defenses of the government and the private sector.

"Ideally, our proposed cybersecurity framework would be implemented alongside supporting legislation to ensure that cybersecurity actions and standards are subject to the checks and balances of our system of government," Kesan said. "CISPA could be easily revised to accompany our framework."

The authors also contend that it is important to ensure that this issue is subject to deliberate and careful decision-making by policymakers before a massive cyber catastrophe forces the government to act quickly and without adequate safeguards. They point to to the history of the Patriot Act, which was hastily passed in the aftermath of 9/11, and has been the target of significant criticism on civil liberties grounds over the last thirteen years.

"It's vital that these issues are addressed soon while there is still a chance to prevent a catastrophic cyber event," Kesan said. "It would be ill-advised to rely solely on executive power or on legislation that is hastily drafted and enacted after an emergency."


Story Source:

The above story is based on materials provided by University of Illinois at Urbana-Champaign. The original article was written by Phil Ciciora. Note: Materials may be edited for content and length.


Journal Reference:

  1. Carol M. Hayes, Jay P. Kesan. At War Over CISPA: Towards a Reasonable Balance between Privacy and Security. SSRN Electronic Journal, 2012; DOI: 10.2139/ssrn.2135618

Cite This Page:

University of Illinois at Urbana-Champaign. "To deter cyberattacks, build a public-private partnership." ScienceDaily. ScienceDaily, 25 August 2014. <www.sciencedaily.com/releases/2014/08/140825152606.htm>.
University of Illinois at Urbana-Champaign. (2014, August 25). To deter cyberattacks, build a public-private partnership. ScienceDaily. Retrieved November 27, 2014 from www.sciencedaily.com/releases/2014/08/140825152606.htm
University of Illinois at Urbana-Champaign. "To deter cyberattacks, build a public-private partnership." ScienceDaily. www.sciencedaily.com/releases/2014/08/140825152606.htm (accessed November 27, 2014).

Share This


More From ScienceDaily



More Science & Society News

Thursday, November 27, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Ebola Leaves Orphans Alone in Sierra Leone

Ebola Leaves Orphans Alone in Sierra Leone

AFP (Nov. 27, 2014) The Ebola epidemic sweeping Sierra Leone is having a profound effect on the country's children, many of whom have been left without any family members to support them. Duration: 01:02 Video provided by AFP
Powered by NewsLook.com
EU Pushes Google For Worldwide Right To Be Forgotten

EU Pushes Google For Worldwide Right To Be Forgotten

Newsy (Nov. 27, 2014) Privacy regulators recommend Google expand its requested removals to apply to all its web domains. Video provided by Newsy
Powered by NewsLook.com
Who Will Failed Nuclear Talks Hurt Most?

Who Will Failed Nuclear Talks Hurt Most?

Reuters - Business Video Online (Nov. 25, 2014) With no immediate prospect of sanctions relief for Iran, and no solid progress in negotiations with the West over the country's nuclear programme, Ciara Lee asks why talks have still not produced results and what a resolution would mean for both parties. Video provided by Reuters
Powered by NewsLook.com
FCC Forces T-Mobile To Alert Customers Of Data Throttling

FCC Forces T-Mobile To Alert Customers Of Data Throttling

Newsy (Nov. 25, 2014) T-Mobile and the FCC have reached an agreement requiring the company to alert customers when it throttles their data speeds. Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Science & Society

Business & Industry

Education & Learning

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins