A broad coalition of business, civil liberties, and internet security groups has issued a white paper supporting the continued use of public-private partnerships to fight cybercrime rather than go in a more government-led direction.

The paper, "Improving our Nation's Cybersecurity through the Public-Private Partnership [1]," was released last week by the business groups the U.S. Chamber of Commerce, the Business Software Alliance, and TechAmerica; cybersecurity group the Internet Security Alliance (ISA); and civil liberties watchdog the Center for Democracy and Technology.

The white paper points out the the current public-private partnerships that have evolved to fight cybersecurity are fairly effective.  Some of the accomplishments of industry-government partnerships are the development of standards and best practices, the completion of a National Cyber Incident Response Plan, the successful execution of Cyber Storm exercises, improvement in information sharing, and risk assessments.

The paper points out that when properly put together, the public-private partnership can also provide privacy and civil liberty advantages over more "government-directed models." For example, the public-private partnerships entrust monitoring to private networks with private sector operators rather than government agencies and promote transparency. 

There is concern that "new policy initiatives may consider replacing the current model with an alternate system more reliant on government mandates directed at the private sector.  This change of direction would undermine the program that has been made and hinder efforts to achieve lasting success," states the report. 

The coalition's approach has its critics.  As reported in E-Commerce News [2], the Center for Strategic and International Studies (CSIS) has called for increased federal regulation for cybersecurity:

The current approach is flawed, says CSIS, because it "assumes incorrectly" that private entities will share adequate amounts of information despite liability, antitrust and business competition risks. The existing system underestimates the difficulty of sharing classified information with the private sector and simply assumes that if all parties had adequate information about threats, they would take action.

CSIS urges adoption of a broader regulatory system.

While any mandates should not be overly burdensome, CSIS argues that the deficiencies in current controls stem from the lack of a comprehensive regulatory framework.

However, ISA president Larry Clinton is quoted in E-Commerce News as saying that the tools are currently there to address the majority of cybersecurity attacks. "The national policy needs to recognize the difference between public sector and private sector goals and provide financial incentives for the commercial sector for implementing cybersecurity measures that aren't directly beneficial to a business goal," Clinton said in the article.  The report provides suggestions of incentives for tech sector businesses.

The report also provides recommendations on risk management, incident management, information sharing and privacy, international engagement, supply chain security, innovation and research and development, and education and awareness.

Thumbnail: