The global think tank releases a report on possible ways and means for the collaboration, in the run-up to the annual meeting at Davos later this month
Cybersecurity threats are fast outpacing the ability to overcome them and the only way to tackle them is through more effective collaboration between the private and public sectors, says the World Economic Forum (WEF).
The global think tank has released a report, Cyber Resilience: Playbook for Public-Private Collaboration, in collaboration with The Boston Consulting Group (BCG). The playbook proposes a reference architecture for intra-state public-private partnership and cyber policy models.
The playbook is “a tool to facilitate capacity-building, policies and processes necessary to support collaboration, safeguard cyberspace and strengthen cyber-resilience,” WEF said in a statement.
The timing of the report is significant as the global multilateral think tank is starting its Annual Meeting at Davos from 23 January. The meeting, to be attended by Indian Prime Minister Narendra Modi, along with other global heads of state, business leaders and intellectuals, is themed Creating a Shared Future in a Fractured World. Cyber resilience could be one of the pillars of that shared future.
“Working collaboratively in the cybersecurity space is difficult. Cyber-threats are complex, dynamic and increasingly personal as technology saturates our economy and society. Addressing these threats requires dialogue across industries and competencies, and on subjects from the technical to the ethical. Currently, dialogue between leaders in the public and private sectors is often off-target and at cross purposes. Policy implementation also varies by national context: every country has its own unique capabilities, vulnerabilities and priorities,” WEF said.
The Cyber Resilience: Playbook for Public-Private Collaboration report is targeted at making the leaders develop a baseline understanding of the key issues and pros and cons of different policy positions on cybersecurity.
Key Policy Models
The playbook has identified 14 topics and the policy models around them. Each policy model provides a brief reference for a specific topic, including an analytical framework for approaching policy questions, and documents the risks and trade-offs associated with each policy, including the normative trade-offs as well.
These are the 14 areas of collaboration listed by the playbook, along with key questions within each.
Research, Data and Intelligence Sharing
- What is the government’s role in sharing and promoting the dissemination of threat intelligence?
- To what extent should the government be involved in the research, development and purchase of zero-day vulnerabilities and exploits?
- To what extent should government share these vulnerabilities with the private sector?
- Who is liable for securing a vulnerability?
- How should that liability shift if/when products transition to end-of-life?
- How should government engage with the private sector when the private sector publicly alleges that a particular actor is responsible for a given attack?
- What should be done to prevent the proliferation of botnets?
- How should existing botnets be researched and studied?
- How should actors throughout the ecosystem disrupt botnets?
- What should non-users be able to monitor to promote security and other valid national interests?
Assigning national information security roles
- Which entities and organizations should be responsible for fulfilling different national information security roles?
- Who should be able to access sensitive data and communications?
Cross-border data fows
- What are the security and non-security implications of countries exerting control over data?
- When should companies be required to notify relevant stakeholders that they have been breached or otherwise experienced a cyberincident?
- What sanctions should policy-makers apply to compromised organizations?
Duty of assistance
- How should public resources be drawn upon in the wake of a cyberincident?
- What technical measures should the private sector be empowered to use to deter and respond to cyberthreats?
- What is the reasonable duty of care that an organization should have?
- Who should bear the residual damages resulting from cyberincidents when an organization has suffciently invested in security controls?
- What, if any, incentives should be offered to obtain insurance?
- Which entities should be prioritized for these incentives?
Themes & Interdependencies
The report also identifies a number of linkages and interdependencies among the identified topics. For example, an effective intelligence-sharing policy will help limit the spread of malicious software, and the greater adoption of encryption may limit the ability to monitor and police network traffic. In practice, what this means for business leaders and policy-makers is that cybersecurity policy-making efforts should be more collaborative and deliberative.
“Efforts should also be framed in the context of an ongoing iterative process rather than ad hoc and crisis-driven, resulting in patchwork legislation,” it says.
The report identifies five key themes across the 14 policy topics and 15 linkages between them. It is represented in a diagram here.
Source: Cyber Resilience: Playbook for Public-Private Collaboration, World Economic Forum, in collaboration with The Boston Consulting Group (BCG)
Here are the linkages:
1. Attribution key element of intelligence, particularly for public sector
2. Zero-day vulnerabilities crucial opportunity for governments to share threat intelligence
3. Botnet disruption facilitated by rapid and well-coordinated research and action
4. Securing vulnerabilities through avoidance or patching may diminish threat surface for botnet operators
5. More invasive monitoring capabilities may allow ISPs to police botnet more effectively
6. Extent of active defence permitted by private sector key element of national roles and responsibilities
7. Granular understanding of government duty of assistance fundamental to national cyber resilience
8. Greater adoption of strong encryption will hinder the ability to monitor network traffic
9. Limitations on cross-border data flows may introduce friction into intelligence sharing
10. Heightened notification requirements may result in increasing investment to secure known vulnerabilities
11. Duty to assist integrally linked with liability—where private sector cannot be reasonably expected to secure, government steps in
12. Nation-state attribution may trigger government duty to assist the private sector
13. Active defence may result in collateral damage without well-defined attribution and safeguards (e.g. organization vs. nation-state)
14. Liability thresholds circumscribe the nature of cyberinsurance incentivized
15. Cyberinsurance can be more effectively priced and deployed given greater data and intelligence
“In connecting norms and values to policy, the report encourages all actors to move past absolute and rigid positions towards more nuanced discussions aimed at solving key challenges, and presents the implications of policy choices on five key values: security, privacy, economic value, accountability and fairness,” the WEF statement said.
WEF has started a new Global Centre for Cybersecurity, which will be presented at the Annual Meeting in Davos later this month.