A new report co-published by the Center for Long-Term Cybersecurity and Technology for Global Security (Tech4GS) provides a blueprint for how the U.S. government and private-sector companies can collaborate to prepare for a cyberwar or other massive cyberattack on U.S. interests.
Authored by Jonathan Reiber, former Chief Strategy Officer for Cyber Policy and speechwriter in the Office of the Secretary of Defense, A Public, Private War: How the U.S. Government and U.S. Technology Sector Can Build Trust and Better Prepare for Conflict in the Digital Age outlines a series of policy recommendations for both the government and companies to improve their preparedness. “At some point in the future the United States will likely enter into escalating hostilities with a cyber-capable adversary,” Reiber writes. “Public-private preparation for war is an uncomfortable but necessary process to prepare for that day or, better, help deter that day from ever arriving.”
Drawing on interviews with leaders from both the public and private sectors, the report details past examples of cooperation between the public and private sectors—for example, when the national security community and IT firms cooperated to close a vulnerability in computers’ Basic Input/Output System (BIOS)—as well as instances when trust between the public and private sectors degraded, including the release of classified information by Edward Snowden and protests at Google over the company’s participation in contracts with the U.S. Defense Department. “These stories and others should inform the government and the private sector’s approach to cybersecurity planning,” Reiber writes.
“Jonathan’s work into the immediate need for planning for public-private cyber cooperation in the event of a high-end contingency paints a clear picture of how much work remains to be done, but more importantly, draws a map for how we get from here to there,” says Philip Reiner, CEO of Tech4GS, which co-sponsored the publication. “Rarely do we get to understand and prepare in advance for conflict. His report lays out a unique and important framework for thinking about this critical planning work that we can do now, well in advance of when it’s too late.”
The report includes a variety of recommendations for both the federal government and private sector firms. Reiber argues, for example, that companies should develop a public affairs strategy for cooperating with governments on cyberdefense, and that they should update their terms of service to describe their policies for cyberdefense operations, including “when and how the company will remove individuals’, companies’, or nation-states’ access to products.” He also suggests that the U.S. federal government should invest more in initiatives like the Enduring Security Framework (ESF), which is designed for public-private information sharing for cybersecurity.
Building a foundation for future cooperation is essential, Reiber argues, because nearly all of the internet runs on privately owned technology. “While the United States’ government has made wise investments in cybersecurity capabilities and the Defense Department is uniquely authorized and equipped to disrupt adversary cyberspace infrastructure, the government does not own or operate most of the technological infrastructure of cyberspace, limiting its reach and situational awareness,” Reiber writes. “Given the range of cyberthreats facing the United States, the government needs to work in partnership with the private sector to increase its ability to counter incoming cyberattacks on the nation.”