The big IT issues facing the world’s national defense and security agencies are the same as those facing any organization: big data, social media, and mobility. But cybersecurity remains the overriding IT challenge for most agencies, and governments sometimes undercut their ability to secure themselves and their citizens by keeping industry at a distance in their IT planning.
Unlike other military domains, cyberspace does not have clear national or physical boundaries, and the old areas of responsibility do not easily apply. Many of the networks used for national security agencies are owned and operated by private companies. Protecting networks that are used jointly by defense, civilian agencies, industry, and consumers requires cooperation and integration to ensure defenders can respond effectively to increasingly complex and coordinated threats. Yet often, eyebrows are raised if a third party is in the room for a discussion on cybersecurity. Interaction with potential vendors typically is limited to proposals for acquisitions, while discussions of critical issues take place behind closed doors.
Microsoft’s Digital Crimes Unit has a history of working with industry and law enforcement around the world to combat cybercrime, helping to take down criminal botnets supporting illegal activity. But closer cooperation between defense organizations and industry could help the public sector’s ability to build even better security into networks and to expand its protection of existing infrastructure.
Having once been on the military’s side of the table, I know that this is not due to a lack of concern. There are legitimate reasons for military to keep industry at arm’s length; the most obvious being security concerns. There also are legal concerns about working too closely with specific vendors, which could create the appearance of a conflict or interest or interfere with fair and open competition. The result is that officials often are advised to avoid these risks by avoiding unnecessary contact, but their concerns are valid and can – and should – be addressed.
The security issue is relatively straightforward. Industry can hire experienced personnel with the appropriate security clearances. Microsoft has many experts with government security clearances up to the Top Secret classification. Retiring and separating military personnel are a good source of vetted professionals, with governments and industry working together to manage these clearances and keeping them intact for use in the private sector.
Apparent conflicts of interest can be addressed through good acquisition regulations. Each country has regulations to ensure fair and open competition in government procurement; well-written and scrupulously observed regulations can prevent favoritism without precluding cooperation between the public and private sectors on vital security issues.
Perhaps the biggest challenge to creating an effective public-private partnership for cybersecurity is shifting the “Us vs. Them” mentality. Culture change seldom is easy, but the stakes for cybersecurity are too high not to take advantage of all available resources. The fight against cyber crime, terrorism, espionage, and cyber warfare is critical for both public and private sectors, and just as all parties have something at stake, they also have value to bring to the table.