This week Business Roundtable (BRT) released its report Mission Critical: A Public-Private Strategy for Effective Cyber Security. Microsoft is an active participant in BRT and we believe this report includes key insights that can help inform and advance cybersecurity discussions that are currently happening in the U.S. and around the world.

As an association of chief executive officers of leading U.S. companies, the Business Roundtable’s focus on cyber security demonstrates both leadership and a strong commitment to a thriving global economy and the security of the nation.  BRT introduces its report with a concise summation of the dangers faced and a call to action:

“Cyber attacks must not threaten our economic security: As a nation, we have limitless potential to develop innovative technologies that will unleash new scalable and efficient global business models, keeping America competitive in the international marketplace and leading to domestic economic growth and job creation. Increasingly, however, cyberbased attacks, especially those initiated by well-resourced and motivated adversaries, target our government as well as the U.S. business community, threatening productivity, growth and competitive advantage. With our economic and national security at stake, Business Roundtable CEOs are motivated to seek innovative ways to respond to and mitigate increasing cybersecurity risks.”

The BRT proposals are appropriately founded on leveraging public-private partnership (PPP), and specifically the National Infrastructure Protection Plan framework as the best approach to elevate cybersecurity collaboration.  The BRT report notes that neither the government nor private-sector companies have adequate information on the most consequential cybersecurity risks facing our nation, and says “Of most concern is a lack of information on cybersecurity threats from organized crime and other well-funded actors.”

The 20-page BRT report identifies six principles that create an effective filter for evaluating various policy initiatives that are being considered. I believe that these principles are important for shaping “outcome-based” solutions that enable industry and governments to innovate in their respective responses to cybersecurity challenges. Here are the six public policy principles from the report:

1. SCALABLE AND FLEXIBLE: Cybersecurity threats continue to grow in scope, scale and speed. Solutions based on “check-the-box” compliance regimes not only are insufficient, but they also weaken the ability to deploy innovative security solutions to quickly mitigate evolving risks. Both the public and private sectors must prioritize solutions that can be adapted to align with new technologies, new attacks, and both domestic and global policy developments.
2. COLLABORATIVE: Government needs industry’s know-how, facility for crossborder solutions and speed. Industry needs government’s reach across the economy, enforcement authorities, and power to defend against national actors and global criminals. Accordingly, addressing cybersecurity threats require a public-private partnership.
3. CUSTOMIZED BY SECTOR: One size will not fit all in cybersecurity any more than it does in other areas (such as physical security). Some industry sectors are more advanced, others more regulated, others more organized. Approaches to cybersecurity should work with what exists and leverage each sector’s unique strengths, individual challenges and specifics.
4. RISK BASED: The business and operational impact of cybersecurity risks varies relative to a company’s operational and financial profile. A blanket regulatory approach cannot provide an effective strategy for risk mitigation. Rather, the private sector must be allowed to evaluate cybersecurity risk on a sector-by-sector basis and apply risk mitigation measures commensurate with those risks in collaboration with the government agencies most relevant to the sector.
5. PROACTIVE AND RESPONSIVE: Approaches to addressing cybersecurity risks should prioritize prevention, detection, response and recovery measures. Responsible actors will get hacked and should not be presumed negligent for their inability to prevent criminal behavior. Companies’ first call should be to their security teams, not their legal counsels. Laws and regulations should encourage information sharing, remediation and quick response rather than punishment of victims.
6. GLOBALLY REPLICABLE: Standards should be consistent across all countries. A global maze of differing and nation-specific rules, standards and enforcement regimes not only creates a difficult environment for trade and the efficient deployment of scalable business models globally but also undermines security itself.

I’m excited to see this report from BRT because it directly addresses one of the greatest challenges we face in enhancing cybersecurity, which is achieving meaningful collaboration between government and industry. Absent effective collaboration, the chances for achieving effective and meaningful outcomes are limited. Collaboration relies on building effective public-private partnerships, which is a very hard task for all of the stakeholders involved.

Too often, PPPs are launched with gusto and then slowly devolve into slow moving organizational structures that can impede action. The US has a virtual ecosystem of PPPs. Too many such partnerships can be hard to sustain and keep focused on delivering results. It may be time to consider how we can make such partnerships more agile and focused to ensure that strategic
issues are answered and meaningful deliverables are produced. Taking steps to modernize public private partnerships takes leadership from all of the stakeholders. Sometimes groups must be retired and, in other cases, charters changed. We are facing tough challenges and so we must not shy away from tough decisions.

Industry must build the right business case to engage its best and brightest minds, and government must bring its best minds to the table as well. The efforts proposed by Business Roundtable deserve a concerted effort from all sides to carry these ideas through to fruition.