Businesses call for greater government cyber security involvement
Government organisations must take a more proactive approach to engaging with private-sector businesses in order to head off increasingly virulent cybersecurity threats, a new report issued by a thinktank of major US business interests has warned.
The report, entitled – More Intelligent, More Effective Cybersecurity Protection (download here) – reflects the consensus of the Business Roundtable, a group of CEOs of US companies representing nearly 16 million employees and $US7.3 trillion in annual revenues.
Their conclusion? That governments are uniquely poised to provide the kind of intelligence and tools necessary to mount an effective defence against online security threats.
"The robust, two-way exchange of information, supported by appropriate legal and privacy protections, will improve public-private risk management, and ultimately, improve the security of the nation's cyber assets," BRT Information and Technology Committee chair Ajay Banga said in a statement.
The report notes the emerging threat from state-backed cybersecurity threats, which pose a threat against private-sector companies that cannot be countered without government-level support. Information sharing is held to be the "single most important element of an effective cybersecurity policy", with exchange of threat information paired with "a robust set of trusted, well-structured and regularized policies and processes among the US government, international allies and private-sector entities".
Information necessary for exchange includes security alerts, response actions, situational awareness, and mitigation analysis.
The report slammed governmental practice of working to check-the-box compliance models that are designed and passed without fundamentally sound information-sharing legislation. It outlines a cross-sector approach that outlines private and public-sector commitments to actions such as two-way information sharing, threat-informed risk management, and CEO commitments to cybersecurity.
"Public and private risk assessment and mitigation models have not evolved to the point where they can guide deployment of resources in the most valuable way," the report says. "In such a dynamic cyber threat environment, without timely and actionable information about threats beyond those the private sector can typically identify and mitigate, companies must speculate as to the greatest risks and how to address them."
The CEOs aren't expecting to lean on government authorities for every aspect of the industry defence, however: all were prepared to invest in infrastructure to boost the availability and use of shared threat information; develop capabilities for integrating cybersecurity threat and risk information with CEO risk management practices; and pushing boards of directors to integrate business resiliency checks as part of their risk oversight functions.
The full report is available here.
Recommendations for More Intelligent, More Effective Cybersecurity Protection
- Threat Identification, Assessment and Law Enforcement: Authorize and create two-way information sharing to actively exchange reports on imminent threats, response actions and situational awareness as well as deliver strategic threat assessments, such as National Intelligence Estimates, and increase law enforcement capabilities to disrupt, apprehend and prosecute cyber criminals.
- Risk Management and Mitigation: Manage cybersecurity risks by building upon existing public-private partnership initiatives to develop threat-informed risk management and mitigation methodologies to address the most consequential risks to critical systems, assets and networks.
- Governance and Operations: Position the public and private sectors to collaborate on cybersecurity at strategic and operational levels.
- Continuous Improvement: Commit to focused research and development to continually improve cybersecurity capabilities as threats evolve – especially those functions supporting public-private information sharing.
- Accountability: Invest in information sharing information and integrate actionable threat information into CEO risk management and board oversight activities to guide decisions and oversight related to strategic planning and budgeting, organisational structure and training, and internal control.
A consistent, high standard of personal information handling practices is needed to meet...
Agencies must accept the need to shift to the cloud and therefore choose a solution that properly...
South Australia's Auditor General has uncovered a range of deficiencies in the IT security of...