By: Vigjilenca Abazi, LLM ‘19
Trust is essential for sharing information, especially when it comes to national security secrets. A trust-based relation that facilitates sharing information is hard to build and it would not happen merely because formal rules mandate it. Rather, the ability to show that the shared secrets are safe, that the originator of information retains control over its dissemination, and providing assurances of no misuses are some elements that build trust in due course. At the same time, these elements of trust significantly limit the circles of information sharing as traditionally the wisdom goes that the wider the sharing circle is, the higher the risks of information getting into the wrong hands, increased number of leaks, or other security threats. These tensions are well known in discussions about national security. In fact, we accept that there are inherent trade-offs and we emphasize the salience of sharing information especially when the failure to do so leads to grave consequences for public and national security, as has been the example of 9/11 information silos.
Cyber security, however, raises distinct challenges of trust. First, an effective policy on cyber security depends on sharing information between the public and private sector, which are two completely different beasts. As already noted in 2012 Bipartisan Policy Center Report, “public-private cyber information sharing can bolster and speed identification and detection of threats and will be critical to a coordinated response to a cyber incident.” Calls for policy revisions were translated into legal rules with the passage of the 2015 Cybersecurity Information Sharing Act, which makes efforts to alleviate some of the expressed concerns, such as those about liability for sharing legally restricted information. Other measures have also been put in place, such as practical programs like the Defense Industrial Base by the Department of Defense to be used by actors in the private sector against cyber attacks. At an agency level, different initiatives had already been put in place, such as the “InfraGard” project by the FBI.
Whilst the value of sharing cyber information between public-private sectors is acknowledged, it continues to be a challenge. Lack of trust between the sectors is certainly one reason for this challenge, as prominent experts repeatedly noted at the 2019 Yale Cyber Leadership Forum. For example, companies would be hesitant to share information with the government about their potential cyber weaknesses due to risks of that information reaching their competitors, loss of profits, reputational harm, or even avoiding lawsuits risks.
However, trust deficiency between public-private sectors only partly explains the challenge in sharing information. A second and less discussed issue is that trust between public-private sectors is contingent upon trust requisites outside this relation. The latter aspect of trust conditions the interactions between government institutions and commercial organisations and sometimes puts them in opposition.
For companies, the trust of clients and consumers is vital to excel at a certain product or service. Yet, it can be very easily jeopardised or lost. In the wake of Edward Snowden revelations on mass surveillance, or the failures of social media giants like Facebook to uphold privacy safeguards, as Cambridge Analytica disclosures illustrate, companies have become more cautious about maintaining public and consumer trust. This prudence puts them between a rock and a hard place: increasing cooperation with government institutions to thwart cyber attacks may involve sharing sensitive information, part of which may raise privacy concerns for consumers. Even if strict guidelines are followed when such information is shared, the company runs the risk of having to give “too much” information or without any knowledge of the individuals involved. Global companies that aim to comply with the more rigorous European privacy rules under the GDPR, have the additional concern of meeting rules and legal standards of conflicting demands. By contrast to these issues of trust for commercial companies, public trust in government institutions does not per se put to question the very existence of that institution, even if a certain project may prove controversial or be met with high public disapproval. Hence, government can tolerate lack of trust to an extent that is impossible for private companies to survive in the long term. This creates an incentive for companies to be more watchful of what kind of information they would share, which goes against the need for speedy and expedient exchange of information to prevent or address cyber security threats and attacks.
One possible way forward from this trust quandary is to map in more detail and better comprehend what information models can help to provide information valuable for mitigating cyber security threats whilst safeguarding privacy and other interests of the private sector. Research has shown that there are programs like the Cyber Information Sharing and Collaboration Program that “allow the government to act in a way that fosters all the tenets of trust”. The task ahead is to find suitable ways to scale such programs at a broader and more general level as well as impact the overall culture of cyber information sharing in the public-private realms. Efforts should also be made on raising more public awareness that cyber security attacks are profound, much more common than is generally known, and indeed can have as their underlying goal an “assault on trust in the digital age”. The public accountability of both sectors should be front and center at any effort to enhance cyber security, rather than deal with oversight and transparency as afterthoughts once the complex systems of information sharing are already put in place. Doing so is also more cost efficient and has better chances at ensuring that cyber information sharing actually achieves the needed security goals. Ultimately, failing to acknowledge the need to concurrently address and meet the expectations of different kind of trust relations diminishes our collective capability to move forward and fast in increasing capacity of cyber security for both the public and the private sector. Bridging the public and private divide in cyber security when it comes to trust and information sharing therefore is a pressing need and can only be fully tackled with more common debate between the two fields.