National Security and Public-Private Partnership for Cybersecurity: Strengths and Challenges by Stefano Mele

NATIONAL SECURITY AND PUBLIC-NATIONAL SECURITY AND PUBLIC-
PRIVATE PARTNERSHIP FORPRIVATE PARTNERSHIP FOR
CYBERSECURITYCYBERSECURITY
STRENGTHS AND CHALLENGESSTRENGTHS AND CHALLENGES
StefanoStefano MeleMele
CODE BLUE 2017 - TOKYOCODE BLUE 2017 - TOKYO 09 NOV.09 NOV.
20172017

@MeleStefano
 I am a cyber-lawyercyber-lawyer to the Italian “Carnelutti Law Firm” in Milan
 I am Founder and Partner of the Moire Consulting GroupMoire Consulting Group
 I am Member of the Governing Board and President of the Cybersecurity CommissionPresident of the Cybersecurity Commission
of the Italian Atlantic Committeeof the Italian Atlantic Committee
 I am President of the “President of the “Cyber Security Working GroupCyber Security Working Group”” of the American Chamber of
Commerce in Italy (AmCham)
 I hold a PhDPhD and I am a LecturerLecturer for several Universities and Military research
Institutions in Italy and NATO
 I am the Director of the “Director of the “InfoWarfare and Emerging TechnologiesInfoWarfare and Emerging Technologies”” Observatory of the
Italian Institute of Strategic Studies ‘Niccolò Machiavelli’
 I am included in the NATO’s “Key Opinion Leaders for Cyberspace SecurityKey Opinion Leaders for Cyberspace Security” list
 I am listed in Forbes’ 2014 “20 best worldwide Cyber Policy Experts to follow online20 best worldwide Cyber Policy Experts to follow online”
Stefano Mele 209 Nov. 2017National Security and Public-Private Partnership forNational Security and Public-Private Partnership for
CybersecurityCybersecurity

#Introduction#Introduction
The high level of pervasiveness of technologies and the Internet in every field ofThe high level of pervasiveness of technologies and the Internet in every field of
today’s social fabric hastoday’s social fabric has completely changed every aspect of our societycompletely changed every aspect of our society, service, service
delivery and management, access to information – in both its quality and quantity – asdelivery and management, access to information – in both its quality and quantity – as
well as the relationship between the aforementioned elements and the citizens,well as the relationship between the aforementioned elements and the citizens,
what’s more,what’s more, in a rather limited stretch of timein a rather limited stretch of time
As if that wasn’t enough to highlight their paramount importance in the so-calledAs if that wasn’t enough to highlight their paramount importance in the so-called
“information society”, technologies and the Internet are at the root of those complex“information society”, technologies and the Internet are at the root of those complex
systems thatsystems that ensure the correct functioning of a state’s strategic and critical sectorsensure the correct functioning of a state’s strategic and critical sectors,,
namely energy, communication, transports, finance and so on. Hence, they function asnamely energy, communication, transports, finance and so on. Hence, they function as
one of the pivots around which each country’s economic and social well-being revolvesone of the pivots around which each country’s economic and social well-being revolves
as well as its support andas well as its support and the starting point for its growththe starting point for its growth

Guaranteeing aGuaranteeing a strategic approach to the security of this sectorstrategic approach to the security of this sector and planning itsand planning its
growth, assessing short, medium and long-term risks as well as producing forecasts ongrowth, assessing short, medium and long-term risks as well as producing forecasts on
its evolution are therefore an essential and priority task in each good government’sits evolution are therefore an essential and priority task in each good government’s
political agendapolitical agenda
This is true especially nowadays, whenThis is true especially nowadays, when the protection of the cyberspace represents athe protection of the cyberspace represents a
top prioritytop priority challenge since only the effective protection of such a space can letchallenge since only the effective protection of such a space can let
everyone live a normal life from a political, social, economic, technological, industrialeveryone live a normal life from a political, social, economic, technological, industrial
and cultural point of viewand cultural point of view

From this perspective,From this perspective, the public-private partnership looks like a growing functionalthe public-private partnership looks like a growing functional
need in cybersecurityneed in cybersecurity, mainly due to two elements: first, the fact that the majority of, mainly due to two elements: first, the fact that the majority of
critical infrastructures are owned and managed by privates; secondly, the use ofcritical infrastructures are owned and managed by privates; secondly, the use of
information and communication technologies (ICTs) in such systems has becomeinformation and communication technologies (ICTs) in such systems has become
widespread, and their level of interconnection being significantly highwidespread, and their level of interconnection being significantly high
In addition, it is no coincidence that an accurateIn addition, it is no coincidence that an accurate comparative analysis of all thecomparative analysis of all the
public European and international cyber strategiespublic European and international cyber strategies shows how two (out of the three)shows how two (out of the three)
strategic guidelines they have in common are related tostrategic guidelines they have in common are related to strengthening internationalstrengthening international
cooperation and public-private partnership/information sharingcooperation and public-private partnership/information sharing

#European Union#European Union
In February 2013, theIn February 2013, the EU adopted its first cyber strategyEU adopted its first cyber strategy, with the declared aim to, with the declared aim to
help ensuring an “help ensuring an “open, safe and secureopen, safe and secure” cyberspace, in cooperation with member” cyberspace, in cooperation with member
states and other supranational institutions. Such an action proved to be necessary asstates and other supranational institutions. Such an action proved to be necessary as
nowadays information and communication technologies have becomenowadays information and communication technologies have become the backbone ofthe backbone of
European economic growthEuropean economic growth and a major resource for EU citizensand a major resource for EU citizens

The followingThe following five strategic prioritiesfive strategic priorities have been identified in the document:have been identified in the document:
1.1.Achieving cyber resilienceAchieving cyber resilience
2.2.DrasticallyDrastically reducing cyber crimereducing cyber crime, both through rules already in force, and by, both through rules already in force, and by
introducing new sets of rules affecting specific critical sectors, which means activelyintroducing new sets of rules affecting specific critical sectors, which means actively
working to increase member states’ domestic operational capabilities and to improveworking to increase member states’ domestic operational capabilities and to improve
EU structures’ coordination and support (e.g., European Cybercrime Centre – EC3)EU structures’ coordination and support (e.g., European Cybercrime Centre – EC3)
3.3.Developing cyber defence policy and capabilitiesDeveloping cyber defence policy and capabilities related to the Common Securityrelated to the Common Security
and Defence Policy (CSDP)and Defence Policy (CSDP)
4.4.Develop the industrial and technological resources for cybersecurityDevelop the industrial and technological resources for cybersecurity
5.5.Establish a coherentEstablish a coherent international cyberspace policy for the European Unioninternational cyberspace policy for the European Union andand
promote core EU valuespromote core EU values

Although public-private partnership/information sharingAlthough public-private partnership/information sharing is one of the strategicis one of the strategic
principles common to all the cyber strategies worldwideprinciples common to all the cyber strategies worldwide, it has been blatantly, it has been blatantly left offleft off
the five EU strategic prioritiesthe five EU strategic priorities
It is mentioned almost exclusively with regard toIt is mentioned almost exclusively with regard to ENISA European Public-PrivateENISA European Public-Private
Partnership for ResiliencePartnership for Resilience (EP3R) and in some(EP3R) and in some statements aimed to improvestatements aimed to improve
preparedness and engagement of the private sectorpreparedness and engagement of the private sector especially in the context ofespecially in the context of
resilience and network and information securityresilience and network and information security

In July 2016, the EU launched the firstIn July 2016, the EU launched the first European public private partnership onEuropean public private partnership on
cybersecuritycybersecurity. The. The EU will invest €1.8 billion by 2020 in this partnershipEU will invest €1.8 billion by 2020 in this partnership, under its, under its
research and innovation programme Horizon 2020research and innovation programme Horizon 2020
Cybersecurity market players, represented by theCybersecurity market players, represented by the European Cyber SecurityEuropean Cyber Security
Organisation (ECSO)Organisation (ECSO), are expected to invest three times more, are expected to invest three times more
This partnership will also include members from national, regional and local publicThis partnership will also include members from national, regional and local public
administrations, research centres and academia. The aim of the partnership isadministrations, research centres and academia. The aim of the partnership is toto
foster cooperation at early stages of the research and innovation process and to buildfoster cooperation at early stages of the research and innovation process and to build
cybersecurity solutions for various sectors, such as energy, health, transport andcybersecurity solutions for various sectors, such as energy, health, transport and
financefinance

The “The “Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures to ensure a high common level of network and information security acrossconcerning measures to ensure a high common level of network and information security across
the Unionthe Union”, that must be implemented by May 2018, specifically:”, that must be implemented by May 2018, specifically:
Lays down obligations for all Member States toLays down obligations for all Member States to adopt a national strategy on the security ofadopt a national strategy on the security of
network and information systemsnetwork and information systems
Creates aCreates a Cooperation GroupCooperation Group in order to support andin order to support and facilitate strategic cooperation and thefacilitate strategic cooperation and the
exchange of information among Member Statesexchange of information among Member States and to develop trust and confidence amongstand to develop trust and confidence amongst
themthem
Creates a computer security incident response teams network (‘Creates a computer security incident response teams network (‘CSIRTs networkCSIRTs network’) in order to’) in order to
contribute to thecontribute to the development of trust and confidence between Member Statesdevelopment of trust and confidence between Member States and to promoteand to promote
swift and effective operational cooperationswift and effective operational cooperation
EstablishesEstablishes security and notification requirements for operators of essential services and forsecurity and notification requirements for operators of essential services and for
digital service providersdigital service providers
Lays down obligations for Member States toLays down obligations for Member States to designate national competent authoritiesdesignate national competent authorities, single, single
points of contact and CSIRTs with tasks related to the security of network and informationpoints of contact and CSIRTs with tasks related to the security of network and information
systemssystems

The newly adopted EU’s cyber strategy (13 September 2017), entitled “The newly adopted EU’s cyber strategy (13 September 2017), entitled “Resilience,Resilience,
Deterrence and Defence: Building strong cybersecurity for the EUDeterrence and Defence: Building strong cybersecurity for the EU”, pinpoints that:”, pinpoints that:
Building on the work of Member States and the Public-Private Partnership, a furtherBuilding on the work of Member States and the Public-Private Partnership, a further
step would be to reinforce EU cybersecurity capability through astep would be to reinforce EU cybersecurity capability through a network ofnetwork of
cybersecurity competence centres with a European Cybersecurity Research andcybersecurity competence centres with a European Cybersecurity Research and
Competence CentreCompetence Centre at its heart. This network and its Centre would stimulateat its heart. This network and its Centre would stimulate
development and deployment of technology in cybersecurity and complement thedevelopment and deployment of technology in cybersecurity and complement the
capacity building efforts in this area at EU and national levelcapacity building efforts in this area at EU and national level
The EU plans to propose aThe EU plans to propose a short-term injection of funding of EUR 50 million to thisshort-term injection of funding of EUR 50 million to this
endend. This activity will complement the ongoing implementation of the Public-Private. This activity will complement the ongoing implementation of the Public-Private
Partnership on CybersecurityPartnership on Cybersecurity

The newly adopted EU’s cyber strategy (13 September 2017), entitled “The newly adopted EU’s cyber strategy (13 September 2017), entitled “Resilience,Resilience,
Deterrence and Defence: Building strong cybersecurity for the EUDeterrence and Defence: Building strong cybersecurity for the EU”, also highlights that:”, also highlights that:
Evidence suggests that people from around the globe identify cyber attacks from otherEvidence suggests that people from around the globe identify cyber attacks from other
countries as among the leading threats to national security. Given the global nature of thecountries as among the leading threats to national security. Given the global nature of the
threat,threat, building and maintaining robust alliances and partnerships with third countries isbuilding and maintaining robust alliances and partnerships with third countries is
fundamental to the prevention and deterrence of cyber-attacksfundamental to the prevention and deterrence of cyber-attacks – which are increasingly– which are increasingly
central to international stability and security. The EU will prioritise the establishment of acentral to international stability and security. The EU will prioritise the establishment of a
strategic framework for conflict prevention and stability in cyberspace in its bilateral,strategic framework for conflict prevention and stability in cyberspace in its bilateral,
regional, multi-stakeholder and multilateral engagementsregional, multi-stakeholder and multilateral engagements
TheThe EU strongly promotes the position that international law, and in particular the UNEU strongly promotes the position that international law, and in particular the UN
Charter, applies in cyberspaceCharter, applies in cyberspace

#Italy#Italy
Since 2013, the Italian government clearly pointed out the necessity of a strongSince 2013, the Italian government clearly pointed out the necessity of a strong
public-private partnership through the Prime Minister’s Decree of 24th January 2013public-private partnership through the Prime Minister’s Decree of 24th January 2013
setting out “setting out “Strategic Guidelines for the National Cyber Protection and ICT SecurityStrategic Guidelines for the National Cyber Protection and ICT Security”.”.
A necessity marked again also through theA necessity marked again also through the new Prime Minister’s Decree of 17thnew Prime Minister’s Decree of 17th
February 2017February 2017
In an effort to take its first and essential step to integrate the already existingIn an effort to take its first and essential step to integrate the already existing
structures and knowledge in the field of cybersecurity, the Italian Government in 2013structures and knowledge in the field of cybersecurity, the Italian Government in 2013
and 2017and 2017 stressed the importance of private sector entities in ensuring national ICTstressed the importance of private sector entities in ensuring national ICT
securitysecurity

#Italy#Italy
According to Article 11 of the aforementioned Decrees, theAccording to Article 11 of the aforementioned Decrees, the private stakeholdersprivate stakeholders whowho
provide public networks of communication or electronic communication services to theprovide public networks of communication or electronic communication services to the
public, operating national and European critical infrastructures depending on ITC systems,public, operating national and European critical infrastructures depending on ITC systems,
subject to a dedicated agreement, shall:subject to a dedicated agreement, shall:
report to the Cybersecurity Unit anyreport to the Cybersecurity Unit any significant security and integrity violation of theirsignificant security and integrity violation of their
own computer systemsown computer systems also through those authorized to obtain this kind of communicationsalso through those authorized to obtain this kind of communications
adopt all the best practices and measures necessary to pursue cybersecurityadopt all the best practices and measures necessary to pursue cybersecurity, as provided, as provided
by the Ministry of Economic Development and the Committee for the Security of theby the Ministry of Economic Development and the Committee for the Security of the
Republic (the so-called “Technical CISR”)Republic (the so-called “Technical CISR”)
share information with the agencies for intelligence and security and allow access to theirshare information with the agencies for intelligence and security and allow access to their
Security Operations Center and databases that are relevant to cybersecuritySecurity Operations Center and databases that are relevant to cybersecurity
collaborate to the management of a cyber crisiscollaborate to the management of a cyber crisis by restoring the functionality of theby restoring the functionality of the
systems and networks they operatesystems and networks they operate

#Italy#Italy
One can easily noticeOne can easily notice
how no less thanhow no less than threethree
out of six guidelinesout of six guidelines
envisage also theenvisage also the
involvement of theinvolvement of the
private sectorprivate sector, more or, more or
less directly (less directly (points 2,points 2,
3 and 43 and 4))

#Italy#Italy
Although eight out ofAlthough eight out of
the eleven listedthe eleven listed
operational guidelinesoperational guidelines
might genericallymight generically
outline a directoutline a direct
involvement of theinvolvement of the
private sector,private sector, onlyonly
two of them expresslytwo of them expressly
and specifically dealand specifically deal
with public-privatewith public-private
partnershippartnership ((points 2points 2
and 3and 3))

#United Kingdom#United Kingdom
In the course of time, the United Kingdom also developed its own strategic approachIn the course of time, the United Kingdom also developed its own strategic approach
to cybersecurityto cybersecurity
The first step taken in this direction dates back to 2009, when the “The first step taken in this direction dates back to 2009, when the “Cyber SecurityCyber Security
Strategy of the United KingdomStrategy of the United Kingdom” was established, aiming to create dedicated” was established, aiming to create dedicated
Government bodies and to establish inter-governmental programs for strengtheningGovernment bodies and to establish inter-governmental programs for strengthening
British IT systems’ resilience. The above-mentioned document has been almost totallyBritish IT systems’ resilience. The above-mentioned document has been almost totally
replaced in 2011 by the “replaced in 2011 by the “UK Cyber Security StrategyUK Cyber Security Strategy””

Furthermore, the 2011 cyber strategy was recently updated by the “Furthermore, the 2011 cyber strategy was recently updated by the “UK National Cyber SecurityUK National Cyber Security
Strategy (2016-2021)Strategy (2016-2021)” setting three main strategic objectives to be reached within 2021,” setting three main strategic objectives to be reached within 2021,
namely:namely:
DEFENDDEFEND ---- We have the means to defend the UK against evolving cyber threatsWe have the means to defend the UK against evolving cyber threats, to respond, to respond
effectively to incidents, and to ensure UK networks, data and systems are protected andeffectively to incidents, and to ensure UK networks, data and systems are protected and
resilient. Citizens, businesses and the public sector have the knowledge and ability to defendresilient. Citizens, businesses and the public sector have the knowledge and ability to defend
themselves.themselves.
DETERDETER -- The UK will be a hard target for all forms of aggression in cyberspace. We detect,-- The UK will be a hard target for all forms of aggression in cyberspace. We detect,
understand, investigate and disrupt hostile action taken against us, pursuing and prosecutingunderstand, investigate and disrupt hostile action taken against us, pursuing and prosecuting
offenders.offenders. We have the means to take offensive action in cyberspaceWe have the means to take offensive action in cyberspace, should we choose to do, should we choose to do
so.so.
DEVELOPDEVELOP ---- We have an innovative, growing cybersecurity industry, underpinned by world-We have an innovative, growing cybersecurity industry, underpinned by world-
leading scientific research and developmentleading scientific research and development. We have a self-sustaining pipeline of talent. We have a self-sustaining pipeline of talent
providing the skills to meet our national needs across the public and private sectors. Ourproviding the skills to meet our national needs across the public and private sectors. Our
cutting-edge analysis and expertise will enable the UK to meet and overcome future threats andcutting-edge analysis and expertise will enable the UK to meet and overcome future threats and
challengeschallenges

As part of a broader action plan, in the field of public-private partnership is veryAs part of a broader action plan, in the field of public-private partnership is very
interesting to note that, on October 2016, theinteresting to note that, on October 2016, the UK Government has created theUK Government has created the
National Cyber Security CentreNational Cyber Security Centre (NCSC)(NCSC)
The NCSC provides a unique opportunity to buildThe NCSC provides a unique opportunity to build effective cybersecurityeffective cybersecurity
partnerships between government, industry and the publicpartnerships between government, industry and the public. It brings together the. It brings together the
capabilities already developed by CESG – the information security arm of GCHQ – thecapabilities already developed by CESG – the information security arm of GCHQ – the
Centre for the Protection of National Infrastructure (CPNI), CERT-UK (ComputerCentre for the Protection of National Infrastructure (CPNI), CERT-UK (Computer
Emergency Response Team) and the Centre for Cyber Assessment (CCA)Emergency Response Team) and the Centre for Cyber Assessment (CCA)

It will provide cyber incident response and be the UK’s authoritative voice onIt will provide cyber incident response and be the UK’s authoritative voice on
cybersecurity. In fact, thecybersecurity. In fact, the NCSC providesNCSC provides::
aa unified source of advice for the Government’s cybersecurityunified source of advice for the Government’s cybersecurity threat intelligence andthreat intelligence and
information assuranceinformation assurance
the strongthe strong public face of the Government’s action against cyber threatspublic face of the Government’s action against cyber threats – working– working
hand in hand with industry, academia and international partners to keep the UKhand in hand with industry, academia and international partners to keep the UK
protected against cyber attackprotected against cyber attack
a public-facing organization with reach back into GCHQ toa public-facing organization with reach back into GCHQ to draw on necessarily secretdraw on necessarily secret
intelligence and world-class technical expertiseintelligence and world-class technical expertise

#United States#United States
Ten are the strategies currently in force in the United States solely in the sector ofTen are the strategies currently in force in the United States solely in the sector of
cybersecurity, and no less than nine of themcybersecurity, and no less than nine of them openly emphasize the leading role playedopenly emphasize the leading role played
by public-private partnershipby public-private partnership. In this perspective, the Government needs to develop a. In this perspective, the Government needs to develop a
process addressed to assist the private sector in preempting, detecting and counteringprocess addressed to assist the private sector in preempting, detecting and countering
cyber attacks, as well as sharing relevant information, both at home andcyber attacks, as well as sharing relevant information, both at home and
internationallyinternationally
The U.S. have always paid a particular attention to cooperation in this sector. Back inThe U.S. have always paid a particular attention to cooperation in this sector. Back in
2003, the “Actions and Recommendations” of the “2003, the “Actions and Recommendations” of the “National Strategy to SecureNational Strategy to Secure
CyberspaceCyberspace” had already stressed the role of private stakeholders, underlining” had already stressed the role of private stakeholders, underlining
several timesseveral times the need for a real partnership in these mattersthe need for a real partnership in these matters, both for the, both for the
establishment of a functionalestablishment of a functional National Cyberspace Security Response SystemNational Cyberspace Security Response System and theand the
implementation of a program forimplementation of a program for reducing cyberspace vulnerabilities and threatsreducing cyberspace vulnerabilities and threats, as, as
well as for reaching an effective (and essential) level of international cooperationwell as for reaching an effective (and essential) level of international cooperation

Such a demand has obviously been constant and primary through the years, untilSuch a demand has obviously been constant and primary through the years, until
being put into writing and highlighted by President Obama’s “being put into writing and highlighted by President Obama’s “Presidential PolicyPresidential Policy
Directive – Critical Infrastructures Security and Resilience (PPD-21)Directive – Critical Infrastructures Security and Resilience (PPD-21)” and “” and “ExecutiveExecutive
Order 13636 – Improving Critical Infrastructure CybersecurityOrder 13636 – Improving Critical Infrastructure Cybersecurity”, both made public in”, both made public in
February 2013February 2013

Specifically, according to theSpecifically, according to the PolicyPolicy,, three essential strategic principles are at the rootthree essential strategic principles are at the root
of this reform processof this reform process, namely:, namely:
strengthening the security level of American critical infrastructures and theirstrengthening the security level of American critical infrastructures and their
resilience to cyber attacksresilience to cyber attacks, particularly by clarifying functional relationships (roles and, particularly by clarifying functional relationships (roles and
responsibilities) across the Federal Governmentresponsibilities) across the Federal Government
enabling effective and incisive cyber threat information sharingenabling effective and incisive cyber threat information sharing, especially by, especially by
actively involving intelligence agencies and the private sector, this latter actuallyactively involving intelligence agencies and the private sector, this latter actually
responsible for most of such critical systems, both in the U.S. and in Europeresponsible for most of such critical systems, both in the U.S. and in Europe
implementing the best and most appropriateimplementing the best and most appropriate aggregation functions and data analysisaggregation functions and data analysis
with regard to cyber incidentswith regard to cyber incidents occurred, threats posed and emerging risks, both fromoccurred, threats posed and emerging risks, both from
a strategic and operational standpointa strategic and operational standpoint

Section 4 of the Executive Order 13636: “Section 4 of the Executive Order 13636: “Cybersecurity Information SharingCybersecurity Information Sharing” also” also
focuses on the need to effectively and promptly exchange with the private sectorfocuses on the need to effectively and promptly exchange with the private sector
entities the information related to cyber threats. According to Section 4, it is theentities the information related to cyber threats. According to Section 4, it is the
policy of the United States Government topolicy of the United States Government to increase the volume, timeliness, andincrease the volume, timeliness, and
quality of cyber threat information shared with U.S. private sector entitiesquality of cyber threat information shared with U.S. private sector entities so thatso that
these entities may better protect and defend themselves against cyber threatsthese entities may better protect and defend themselves against cyber threats
Therefore, theTherefore, the crucial role assigned by the American Government to public-privatecrucial role assigned by the American Government to public-private
partnershippartnership in the field of cybersecurity and, consequently, of information sharing,in the field of cybersecurity and, consequently, of information sharing,
seems to be clearseems to be clear

This is especially true after the creation of theThis is especially true after the creation of the National Cybersecurity andNational Cybersecurity and
Communications Integration Center (NCCIC)Communications Integration Center (NCCIC) within the Department of Homelandwithin the Department of Homeland
Security (DHS), aimed to offer aSecurity (DHS), aimed to offer a nexus for information exchangenexus for information exchange among Government,among Government,
private sector, citizens, law enforcement agencies, intelligence and defence operatorsprivate sector, citizens, law enforcement agencies, intelligence and defence operators

In conclusion, the U.S. Government has undoubtedly made significant efforts in theIn conclusion, the U.S. Government has undoubtedly made significant efforts in the
course of time in order to refine andcourse of time in order to refine and make cybersecurity public-private partnership asmake cybersecurity public-private partnership as
efficient as possibleefficient as possible
An accurate analysis of the American organizational system, shows a huge differenceAn accurate analysis of the American organizational system, shows a huge difference
if compared with EU member states’ approaches: theif compared with EU member states’ approaches: the USA Government is the majorUSA Government is the major
player in promoting cooperation and providing private sector entities with most of theplayer in promoting cooperation and providing private sector entities with most of the
necessary information about cyber threatsnecessary information about cyber threats, while the approach of European countries, while the approach of European countries
is diametrically opposite – at least for the countries taken into account so faris diametrically opposite – at least for the countries taken into account so far

As for possible challenges, instead, the high level of complexity of the organizationalAs for possible challenges, instead, the high level of complexity of the organizational
structures makes itstructures makes it extremely difficult to create real trust relationships among theextremely difficult to create real trust relationships among the
actors involved in the several partnership projectsactors involved in the several partnership projects. This is due to the particularly. This is due to the particularly
wide-ranging nature of the projects themselves, which also include the participationwide-ranging nature of the projects themselves, which also include the participation
of far too varied subjects, especially in view ofof far too varied subjects, especially in view of providing security clearances to accessproviding security clearances to access
information sharedinformation shared – as is the case with NCCIC– as is the case with NCCIC

#Public-Private Partnership:#Public-Private Partnership: StrengthsStrengths
In light of the above and from the further analysis of the various international approaches,In light of the above and from the further analysis of the various international approaches, threethree
strengths can be played outstrengths can be played out, clearly reflecting the undeniable need for each government to be, clearly reflecting the undeniable need for each government to be
equipped with structures targeted to create good public-private partnership processes in theequipped with structures targeted to create good public-private partnership processes in the
field of cybersecurity. Therefore, the factors which might make it happen are detailed asfield of cybersecurity. Therefore, the factors which might make it happen are detailed as
follows:follows:
The need for “network building” is clear-cut now, to be reached both through private-privateThe need for “network building” is clear-cut now, to be reached both through private-private
and public-private cooperation, asand public-private cooperation, as none of the subjects involved has an overall overview nor allnone of the subjects involved has an overall overview nor all
the necessary information to effectively tackle the matter on its ownthe necessary information to effectively tackle the matter on its own
By building their networks, private entities canBy building their networks, private entities can become really influential in their relationshipsbecome really influential in their relationships
with the public sectorwith the public sector and reach such relevant goals and effective levels of negotiation thatand reach such relevant goals and effective levels of negotiation that
would have never been possible if working separatelywould have never been possible if working separately
The public sector needs to establish close relationships with private stakeholders, given itsThe public sector needs to establish close relationships with private stakeholders, given its
frequentfrequent incapability to autonomously gain relevant information concerning technicalincapability to autonomously gain relevant information concerning technical
operations, tools, technologies and even – at times – information related to cyber actors’operations, tools, technologies and even – at times – information related to cyber actors’
strategiesstrategies

#Public-Private Partnership:#Public-Private Partnership: Challenges (1)Challenges (1)
Nevertheless, together with strengths,Nevertheless, together with strengths, demanding challenges need to be dealt withdemanding challenges need to be dealt with,,
comprehended and overcome as soon as possible, so that a real, effective and good cooperationcomprehended and overcome as soon as possible, so that a real, effective and good cooperation
system can start soon. In this regard, the main critical issues to face are to:system can start soon. In this regard, the main critical issues to face are to:
Protect more and more specifically theProtect more and more specifically the privacy and civil rights of the citizensprivacy and civil rights of the citizens, who many times, who many times
find themselves indirectly involved in cooperation and information-sharing activities, withoutfind themselves indirectly involved in cooperation and information-sharing activities, without
being aware of itbeing aware of it
Limit as much as possible theLimit as much as possible the risk that public-private partnerships might result in free marketrisk that public-private partnerships might result in free market
distortionsdistortions (both for the protection of private entities’ competitiveness and of governmental(both for the protection of private entities’ competitiveness and of governmental
interests) by accurately setting such partnerships in a recognized legal framework andinterests) by accurately setting such partnerships in a recognized legal framework and
identifying proper authorities for periodic control proceduresidentifying proper authorities for periodic control procedures
Move beyond raising awareness and establishing partnerships with the only businesses owningMove beyond raising awareness and establishing partnerships with the only businesses owning
systems classifiable as critical infrastructures, assystems classifiable as critical infrastructures, as about 99,8% of the overall amount ofabout 99,8% of the overall amount of
businesses is made of SMEs, especially in the EUbusinesses is made of SMEs, especially in the EU

#Public-Private Partnership:#Public-Private Partnership: Challenges (2)Challenges (2)
Effectively detect, counter and reduce cyber attacks by creating aEffectively detect, counter and reduce cyber attacks by creating a central reference system forcentral reference system for
information exchangeinformation exchange between the public/governmental sector and the main privatebetween the public/governmental sector and the main private
stakeholdersstakeholders
Simplify as much as possible theSimplify as much as possible the internal procedures for audit and control of that “public”internal procedures for audit and control of that “public”
informationinformation which might be of help for private sector entities, so as to increase the promptnesswhich might be of help for private sector entities, so as to increase the promptness
of information disseminationof information dissemination
Keep aKeep a low structural complexity in order to create solid trust relationships among the actorslow structural complexity in order to create solid trust relationships among the actors
involved in the cooperation processinvolved in the cooperation process
Arrange procedures addressed to ensuringArrange procedures addressed to ensuring mutual information exchange at differentmutual information exchange at different
classification levelsclassification levels, so as to avoid any slack or even a deadlock, should far too varied subjects, so as to avoid any slack or even a deadlock, should far too varied subjects
take part to the project (especially with regard to security clearances)take part to the project (especially with regard to security clearances)
Develop procedures aimed toDevelop procedures aimed to evaluate private entities’ feedback and short, medium and longevaluate private entities’ feedback and short, medium and long
term results achievedterm results achieved in implementing public-private partnership projectsin implementing public-private partnership projects

#Towards an efficient Public-Private Partnership#Towards an efficient Public-Private Partnership
What came to light helps summarize theWhat came to light helps summarize the main factors for building a really effectivemain factors for building a really effective
and efficient public-private partnershipand efficient public-private partnership. In this regard, the following elements have to. In this regard, the following elements have to
be considered:be considered:
TheThe public sector shall equip with only one reference bodypublic sector shall equip with only one reference body in order to manage itsin order to manage its
relationships with private stakeholdersrelationships with private stakeholders
The public reference body shall beThe public reference body shall be closely linked to the top political and strategicclosely linked to the top political and strategic
decision-making bodiesdecision-making bodies
It is of prime importance that the political and strategic hub exchanges informationIt is of prime importance that the political and strategic hub exchanges information
with its private ‘operational branch’ in thewith its private ‘operational branch’ in the shortest time possibleshortest time possible
Industries shall identifyIndustries shall identify only one internal representativeonly one internal representative to stay in contact with in theto stay in contact with in the
public sectorpublic sector

#Towards an efficient Public-Private Partnership#Towards an efficient Public-Private Partnership
[…][…]
General information-sharing is of no use; instead, public information should beGeneral information-sharing is of no use; instead, public information should be
exchanged as much as possible with privates, andexchanged as much as possible with privates, and should be detailed and disseminatedshould be detailed and disseminated
at least with regard to the kind of technologies used by private entities and theat least with regard to the kind of technologies used by private entities and the
industrial sectors at riskindustrial sectors at risk
Periodic andPeriodic and not occasional relationshipsnot occasional relationships shall be plannedshall be planned
Precise rules shall regulate cooperation agreementsPrecise rules shall regulate cooperation agreements, in order to limit as much as, in order to limit as much as
possible the risk that public-private relationships only follow the initiatives (or, evenpossible the risk that public-private relationships only follow the initiatives (or, even
worse, the arbitrary decisions) of those involvedworse, the arbitrary decisions) of those involved
Widespread controlsWidespread controls, both internal and parliamentary, shall be arranged, both internal and parliamentary, shall be arranged
It is essential toIt is essential to develop specific education and research projectsdevelop specific education and research projects, to be appropriately, to be appropriately
funded by public and private entities, as wellfunded by public and private entities, as well

#Conclusion#Conclusion
There is no doubt that complex objectives inevitably mean critical issues to cope with.There is no doubt that complex objectives inevitably mean critical issues to cope with.
Furthermore, it needs to be underlined thatFurthermore, it needs to be underlined that the peculiarities of the cyberspace makethe peculiarities of the cyberspace make
wide-range partnership absolutely necessary and essentialwide-range partnership absolutely necessary and essential. This is especially true since. This is especially true since
the stakeholders active in such a “domain”the stakeholders active in such a “domain” are not in a position to control and gain allare not in a position to control and gain all
the necessary informationthe necessary information so as to effectively tackle this threatso as to effectively tackle this threat
Yet, the fact remains that – now more than ever – cybersecurity has to be regarded asYet, the fact remains that – now more than ever – cybersecurity has to be regarded as
an essential part of security itself,an essential part of security itself, of each country’s economic growth andof each country’s economic growth and
competitiveness, and, consequently, of its national and international economiccompetitiveness, and, consequently, of its national and international economic
strategystrategy. Therefore, upon implementation of these partnerships, their actual and. Therefore, upon implementation of these partnerships, their actual and
extremelyextremely high economic and military value needs to be consideredhigh economic and military value needs to be considered, instead of, instead of
exclusively focusing on the surely helpful but in this case marginal technological andexclusively focusing on the surely helpful but in this case marginal technological and
engineering aspects, as done so farengineering aspects, as done so far

QQ&&AA
09 NOV.09 NOV.
20172017
@MeleStefano info@stefanomele.it

National Security and Public-Private Partnership for Cybersecurity: Strengths and Challenges by Stefano Mele

Recommended

Recommended

More Related Content

Similar to National Security and Public-Private Partnership for Cybersecurity: Strengths and Challenges by Stefano Mele

Similar to National Security and Public-Private Partnership for Cybersecurity: Strengths and Challenges by Stefano Mele (20)

More from CODE BLUE

More from CODE BLUE (20)

Recently uploaded

Recently uploaded (20)

National Security and Public-Private Partnership for Cybersecurity: Strengths and Challenges by Stefano Mele