Critical Infrastructure Protection: Advanced Citizenship

One of the most confounding obstacles standing in the way of genuinely robust security in the critical infrastructure industries is the basic necessity of building solid partnerships between the mostly private-sector enterprises that own those industries, on the one hand, and federal and state government and law enforcement agencies on the other. Sometimes the spirit is willing but the flesh is weak; at other times, the flesh is plenty strong enough but the ways and means for getting the job done are open to debate.

In the spring, during CSO’s inaugural CSO Perspectives conference in Carlsbad, Calif., Editor in Chief Lew McCreary moderated a panel discussion on how to achieve successful public-private partnerships.

What follows is a distillation of the panel’s hour-long conversation. The next CSO Perspectives conference will be held April 10-12, 2005, in Huntington Beach, Calif.Lew McCreary: What are the minimum requirements for a successful public-private partnership? Partnership implies obligations on both sides. So what are the parties obliged to do?

Col. Ted Dmuchowski: We need to take two factors into account. The big one is trust. Partnership is not going to work unless we trust each other. The government looks at the motivating factors of the private sector and says, “Driven by moneywe can’t trust them.” We’ve got to get past that. The private sector looks at the government and says, “What’s in it for you? Why would the army care about working with us? And what do I get out of the deal?” Once we have a dialogue, and you get beyond [suspicion], you find out that there’s a mutual dependence. You’ve got to build that trust factor.

[A second factor is sharing.] One of the favorite [jokes about government] is: “We’re going to have a partnership. You’re going to tell me what I want to know. And then you’re going to tell me more of what I want to know.” And that doesn’t work very well. And then [the government] wonders why everybody didn’t jump on board and start sharing information. It’s got to be two ways. The government has a lot of intelligence… and a vast army of people looking at the future and [evaluating] what’s going on. And that [analysis] should be made available to all of us to do our part to secure the infrastructure. You in the private sector deal with this stuff all the time. You also have a great deal of intelligence from your overseas businesses, from the networks you operate, from all the people that you deal withyour suppliers and consumers and everything else.

When you put that all together then you have real intelligence. And it needs to be shared back and forth. Because there’s no boundaries in cyberspace. There’s no geography. You can’t say, “My company only operates in this small part of the world.” And the government can’t say, “Well, I’m going to stop at my borders.” It doesn’t work that way anymore…. We’ve got to take all the assets that we have available to us if we’re going to defend the country.

Robert Rodriguez: I spoke at a conference about a year and a half ago, and this guy raises his hand, and he says, “How do I know we can trust you?” I said, “You don’t. But, let me just say this: If the president of the United States will talk about matters of national security in the limousine with the Secret Service, I [think] you can trust us.”

Relationships mean everything. Arrests and convictions are secondary…. I believe in customer service. I try to teach our young agents a business model. What are the CEO’s concerns? Liability, regulation, ROI, shareholder value. If we go out and make an arrest and we show up wearing big Secret Service jackets and we expose their vulnerability, that’s not always the best answer…. Because [over time] a relationship will grow, a trust will grow, and [when there’s a breach] they will call us. And now we’re working multimillion-dollar cases.

We’ve been able to bring people [into the San Francisco Electronic Crimes Task Force] because we’re noncompetitive, we’re nonthreatening. We want to do the right thing. The [private-sector members] want to do the right thing. You have different industry sectors talking about their vulnerabilities. You never used to see that…. The information isn’t unique. What’s unique is the willingness to share it in these trust-based relationships.McCreary: Bill Boni, at Motorola you’re a customer of the Chicago Electronic Crimes Task Force. Are you satisfied that information-sharing in that framework is effective and of value to Motorola?

William Boni: Absolutely. I think the key element here is that any information-sharing methodology that assumes information will go to a central source to be analyzed and then parceled out to those who have a need to know is hopelessly flawed, in a time of electronic communications and attacks…. My staff establish personal relationships with federal, state and local folks who come to these meetings [and with] some of the other corporate entities. So there’s a personal sharing…. That first level of human personal trust [involves knowing] that the agent you’re talking to is going to give you some space, as opposed to showing up with 12 people who start grabbing tapes off the racks and seizing computers off your production line and shutting down corporate business processes.

The concern is still there that, as soon as [things escalate] to the formal level of saying “You must,” then the general counsel types will put up their hands and say, “We’re not signing anything that says we’re going to share [information]. We’re not comfortable yet. Let somebody else be the test case for you. We’re not interested in that.”

Howard Schmidt: But [the challenges are] not just private to public; they also involve private to private and public to public. Within the government agencies, I don’t know how many times we had to supervise food fights between law enforcement agencies or other government agencies that would sit there and say, “Yeah, we can’t let them know about our investigation because we’re empowered to do counterintelligence, they’re not.” Or, “We’re empowered to do a criminal investigation and they’re not.” So there’s a lot of that that goes on back and forth. And it’s got to be overcome….

It cuts both ways. One of the things the private sector has done very well is connecting the dots and sharing amongst themselves. And particularly with competitors. When we put the IT ISAC together in January 2001, after about seven months of going through lawyers and meetings and all that other stuff, we had Microsoft, Sun, Oracle, IBM, AT&T; all those organizations came together and put aside their competitive differenceswhich are very strongand said, “We’re going to share information.” And that was a really good thing.

Dmuchowski: If I could borrow a line from one of my favorite movies, The American President, this is “advanced citizenship.” I mean, this public-private partnership, in the United States of America and in an open democracy, [amounts to] advanced citizenship. It [would be] easy to do in a dictatorial or tyrannical government, where you say, “You will.” But, since we have the freedom to pick and choose, and we allow business and money to drive what’s in the best interest of individuals, this is really tough work. It’s not going to be done with legislation, and it’s not going to be done with force. It’s got to be done because [the parties] want to do it and see the benefit to everybody. And I think as we get into that, and we start to exchange information, you find out that it really is to everyone’s benefit to share this.McCreary: Of course, we also need advanced government to go along with advanced citizenship…. We had a point brought up by American Electric Power CSO Michael Assante, during an earlier session, about [AEP’s] dealings with the Coast Guard. It didn’t feel to him like a partnership. And the problem seemed to be that there was a level of security being stipulated by people from outside of the industry who kind of lacked a fundamental knowledge of what was required. And I think partnership provokes skepticism to the extent that examples like that are available for people to seize upon. So how do we get to a point where the level of security that one aspires to is being specified by people who are knowledgeable about the risk profile in the given element of infrastructure?

Boni: To take as an example, I was part of a cybersecurity task force that worked under the sponsorship of the Federal Communications Commission to frame out cybersafeguards [within the telecom industry]. They also had a joint physical security task force. And so the industry representatives formulated the framework there that amounts to the best practices baseline for physical and information security in that industry segment. At the end of the day it was not sufficiently detailed to please some people. It was too detailed to please other people. So we’re probably at about the right level of detail across the board. So I think those kinds of examples where you have the agency sponsoring the creation of the standard, and then have active involvement by the industry representatives in a structured manner, can actually allow you to create that frameworksomething you can then put your hand up and say, “Yeah, this is good stuff. We can deal with this.”

Randall Yim: [In the area of cybersecurity,] I get concerned because I’m not sure that we have good intellectual discussions, in either the executive branch or the Congress, about the role of technology. I mean, when you don’t understand the industry or the new innovations that might be brought to bearif there’s a lack of understanding of technology and the pace of change in technologyit makes it very difficult to legislate effective security programs. I think it’s sad that we don’t have an Office of Technology Assessment anymore in the federal government. [Editor’s note: For 23 years, until it was shut down in September 1995, the OTA provided Congress with objective analysis of complex science and technology issues that were the subject of legislative action. Readers interested in more information can find it at www.wws.princeton.edu/~ota, a site devoted to the OTA legacy.] So who is actually sorting through these various technological innovations that are touted as the next great thing? [Who is] advising the government, the staffs, the Congress, the administration what to invest in over a long period of time? I think that’s a serious gap that we need to rectify.McCreary: Would you bring back the OTA?

Yim: Something like the OTA needs to be brought back, because there is that understanding gap. I also think there’s a temporal gap that we are now in such a partisan government, with a 24/7 election cycle in which the depth of vision is typically only two to five years. If you’re looking at having significant change, you need to have a depth of vision of 10, 15, 20 years…. I’d also like to see a revival of a [late-1970s-era] entity in the Congress called the Clearing House on the Future. It was an odd, odd think tankvery small, and you had odd bedfellows there. Newt Gingrich and Al Gore, for example, were very active at the same time in Clearing House on the Future. [Its mission] was to project forward advances in society, culture, technology and so on, looking 20 years out, beyond the horizon that Congress or the administration typically looks at.McCreary: Does the legal framework help or hinder effective public-private cooperation?

Dmuchowski: You’re probably all aware there’s like 50 states in this union. Each state has its own set of laws. Each state has its own set of Freedom of Information-type laws, whichwhen we first started this initiative for state infrastructure protectionwas a show-stopper. One state, which I won’t mention, had the most liberal laws possible. [It] said that any type of information that came to any agent of the government…must be released, if asked about, within 36 hours. And that was any type of information, whether it was an official letter, an e-mail, a phone call, anything.

Well, those [FOIA] laws prevented public-private partnerships because they [breached] the proprietary nature of private-sector [competitive information]. And they definitely [breached] the security concerns of the federal government. The state governments were caught in the middle. But, by working together, we were able to [negotiate] a way around those laws legally, within all of those states, and get some protection worked out for the partnerships we [forged]. That’s a good-news story. And you don’t hear a lot about the good-news stories. You do hear a lot about the Coast Guard banging on your door and saying, “You know, you’ve got to do this or else.” Or, the enforcement guys showing up at your door…. There’s a lot of good-news stories that have happened in the last couple of years that we need to be aware of.

Schmidt: I’d like to address the question of security clearances. That’s been a real challenge. I remember, in my previous life, having a top-secret security clearance in my military reserve position. [I had] access to information that really, really, could have helped protect a private-sector organization. But, it’s that old problem of, well, I can tell Bill Boni, but Bill can’t tell his boss, [and] he can’t tell his technicians to go fix something because [the underlying information] is classified. And that’s another thing that we need to refineby dialogue, not by mandate. [We need] to figure out how to cross that bridge between classified under government defense regulations, and an area which is sensitive but unclassified….

I know that the Electronic Crimes Task Forces and InfraGard both have done a very good job at distilling that down to, “Listen, you guys might want to, you know, check the patch status of your routers the next couple of days to make sure they’re really up-to-date….” But, in the meantime, that continues to be a stumbling block for the government in the private-sector piece.

Boni: Of course, we’re still laboring under the legacy of Cold War frameworks created to deal with the threats [of that era], and now we have completely different kinds of threats, and we’re trying to extend that scope. [The framework] really needs to be adapted and refined, because getting people cleared before they can see critical information…. I mean, what’s my status as a commercial manufacturing organization? I don’t have a clearance requirement. We don’t do classified defense work. So we don’t have folks that say to me, “Well, why don’t you go read the report and then tell us if we have an issue that we need to deal with.” If it isn’t declassified, we don’t get it.McCreary: So much of the infrastructure is interconnected. And every supply chain depends upon the strength of each link. And there’s always going to be a weakest-link problem. At some point, in assuring the security of the critical infrastructure, partnership may have to give way to compulsion. Where is that point? How do you decide when it’s time to stop dangling the carrot and start wielding the stick?

Schmidt: It depends on the circumstances. In the Seattle area this year, we had an abnormally heavy, stormy season. I live up on a mountain, and I have a generator for backup power. Normally, I use it once a year for maybe eight hours. This year I was without power for five days. I was out for three days at another point. Later, I was out for two days. So my needs, relative to the supply chain, were different than under normal circumstances. I keep two five-gallon cans of gas [on hand], which would normally work. Well, guess what? That wasn’t enough. And the time we had an ice storm, I couldn’t get down the mountain to go buy more.

One of the challenges we have with interconnectedness and interdependency is to [decide] under what set of circumstances we can build at least an 80 percent capability [such that] if this, this and this happens, we can get 80 percent of what we need; but anything else is just so far beyond the normal realm of possibility that we can’t [plan] to that level.

Dmuchowski: One factor that keeps coming up is to let [solutions] be market-driven. I’ll give you an example of one: If 80 percent of the industries within a certain business area are participating in a partnership and 20 percent are not, a coalition of the conformers could easily say, “You know, from now on, we’re not going to do business with the other 20 percent.” Or, there could be a marketing campaign that says, “Our 80 percent have gotten together. We do this and they don’t.” [This way], other factors drive compliance without having some government regulator come in and do oversight. And it has happened. There are a number of cases where [market approaches have] been beneficial.

Yim: I think the concern, though, with market-driven approaches is that there’s a greater sense of urgency for homeland security than perhaps the market would sort out within the time frame you wish it to sort out. I think, actually, in most partnerships there is an element of coercion involved in the relationship. I mean, it could be a nice coercion, but there typically is some sort of coercive motivating force. And I think the feds are going to have to set some standards, some goals, some outcome metrics that put an obligation on the private sector to develop protocols to achieve those goals that the federal government sets.

How they set those goals should involve the private sector, but there have to be both carrots and sticks to achieve themsome way that imposes more best practices. Perhaps… rapacious lawyers (like me, in my former life) could bring [lawsuits] to enforce a negligence standard. [That could] then lead to the growth of insurance industries, which also coerce the private sector to adhere to some of those protocols. Coercion doesn’t have to come from the federal government directly, but [the feds] could create an environment in which a lot of other coercive forces come into play. Because the fact of the matter is you’re going to need some combination of carrots and sticks on the issue of homeland security.

Boni: I think the real driving issue here, if you go back and look at [how sprinkler systems came to be in factories], such safeguards come out of the experience of factories burning down and people dying. And until we see mass-casualty events that are critical to information security failures, I don’t think you’re going to have that same sense of urgency. And, probably, as a society we shouldn’t. But, the challenge is to make sure that organizations are doing their reasonable best to not be the cause of part of that event. But my belief is that until we see mass casualty situations that arise from information security, we won’t make that transition, and we shouldn’t. Unfortunately, I think that it is going to happen at some point. Whether that’s before or after I retire from my current employment is a very important deliverable.