markrubens - Fotolia
Recent events such as the Equifax data breach and allegations regarding Russian interference with the 2016 presidential election are sobering reminders of cybersecurity holes in both the public and private sectors.
Cooperation between government and businesses has long been heralded as vital to protect digital assets and improve U.S. cybersecurity, which is why such cooperation is becoming part of U.S. cybersecurity strategy, said acting FBI Director Andrew McCabe.
"There is no law enforcement or exclusive intelligence answer to these questions," McCabe said about cybersecurity strategy during the Cambridge Cyber Summit hosted by CNBC and the Aspen Institute earlier this month. "We've got to work together with the private sector to get there."
Achieving this goal was the main topic presented at the annual conference, which examines how the public and private sectors can work together to safeguard economic, financial and government assets, while also maintaining convenience and protecting online privacy.
Regulations are usually anathema to a tech industry that worries cybersecurity mandates hinder the innovation upon which their industry thrives. There has been headway of late, however: In response to claims that Russian agents bought social media advertisements designed to sow discord in American politics, Facebook CEO Mark Zuckerberg announced policy changes to "protect election integrity."
McCabe admitted that the relationship between the federal government and the private sector has had its ups and downs through the years. Edward Snowden's disclosures about U.S. digital surveillance practices and law enforcement's confrontation with Apple over the San Bernardino, Calif., shooter's iPhone, for example, have hindered public and private sector cybersecurity cooperation.
"I see things like this and I hope that we are now edging back into a warmer space … to actually work on solutions," McCabe said.
The public sector is doing its part to help facilitate these partnerships: The New Democrat Coalition has established a Cybersecurity Task Force that promotes "public-private sector cooperation and innovation" designed to protect against cyberattacks. The U.S. House of Representatives recently passed the National Institute of Standards and Technology (NIST) Small Business Cybersecurity Act, which sets "guidelines," as opposed to mandatory requirements, for small businesses.
Rob Joycecybersecurity coordinator, U.S. White House
Incentives are a big part of these types of efforts. Last month, senators introduced a cybersecurity bill that would establish a reward program designed to incentivize private researchers to identify security flaws in U.S. election systems.
These types of partnerships are beneficial for both sides, said Rod Rosenstein, deputy attorney general at the Department of Justice, at the Cambridge Cyber Summit. Law enforcement investigations can help a company understand what happened, share context and information about related incidents, and even provide advice to shore up defenses if the hackers act again, he said.
"We can inform regulators about your cooperation, and we are uniquely situated to pursue the perpetrators through criminal investigation and prosecution," Rosenstein said. "In appropriate cases that involve overseas actors, we can also pursue economic sanctions, diplomatic pressure and intelligence operations ourselves."
International efforts, global companies
The "overseas" variable doesn't end with nefarious foreign actors hacking U.S. companies. Public and private sector cybersecurity cooperation is further complicated in the global economy with enterprises that have customers, headquarters and employees stationed all over the world. This makes it difficult to incorporate cybersecurity best practices as digital information moves across borders.
Different countries have different rules when it comes to handling digital information, leaving international organizations to navigate conflicting international laws.
"They have different threats to their systems, to their data, to their employees in many different places," McCabe said. "I think we have a clear and important role in helping them address those threats and those challenges."
McCabe was quick to add, however, that U.S.-based security professionals and law enforcement prioritize U.S. cybersecurity standards.
"Although we acknowledge that [global companies] have responsibilities in other parts of the world, we expect them to live up to our norms of behavior and in compliance with U.S. law and all the ways that that's required here in the United States," McCabe said.
The power of voluntary enforcement
When it comes to cybersecurity, White House Cybersecurity Coordinator Rob Joyce said he is a fan of "voluntary enforcement" among industry. If industry groups can rise up to identify unique risks and push best cybersecurity practices, it could create a sort of peer pressure for other organizations to step up their cybersecurity game, he said at the summit.
The goal is to give consumers the opportunity to choose companies that have voluntarily implemented well-planned cybersecurity best practices and compliance standards, as opposed to security protocols that are slapped together just so new products can be put on the market quickly, he said.
"We would expect industry groups to start labeling themselves as compliant and then consumers to make smart choices about what they're buying," Joyce said.
Forcing cybersecurity standards on the technology industry through government regulation poses problems, Joyce said, mostly because the industry evolves so fast. A cybersecurity standard that provides effective data protection and enforcement today could quickly become obsolete when the next iteration of technology is introduced.
"The problem with forcing it through government regulation is you snap a chalk line today, and this industry moves fast," Joyce said. "You impede good security because people have to do the thing to regulate it instead of doing the thing that's right."
The trick is to find that balance between innovation and cybersecurity protection, Joyce added.
"If you try to put too much constraint and mandatory check boxes on the security of a device, you will find that the manufacturers are going to be slowed in their ability to innovate and give us that next better product," Joyce said. "But we've got to have the ability to drive that next better product to have some base security."
Opinion: Private sector cybersecurity input still lacking
Public, private partnership targets cyberprotection in state of Wisconsin
Podcast: Do hacking victims take too much blame after a cyberattack?