White House Cyber Strategy Urges Deeper Industry Partnership Without Defining Roles
The Trump administration’s national cyber strategy calls for a “new level of relationship” and a more active role from the private sector in defending cyberspace, while explicitly ruling out offensive actions such as hack back. A central question remains unresolved: What exactly does Washington want companies to do differently?
See Also: Free Your IT Program of Tech Debt With an Enterprise Browser (eBook)
Senior officials have framed the new strategy as a shift toward deeper collaboration with industry, arguing that private companies sit closest to the infrastructure, data and networks where cyberthreats are first detected. But while the strategy emphasizes partnership, it offers limited detail on the specific operational responsibilities the private sector is expected to take on, raising questions among analysts and industry leaders about how the policy will translate into practice.
Administration officials have suggested in public remarks and interviews that the answer lies somewhere within expanding the private sector’s current role in providing further visibility into cyberthreats – particularly by sharing data that can help the government identify and respond to malicious activity more quickly.
“What really is key to all of this – what’s been key in the past – and what could be improved is the information, and the flow of that information between the [U.S. government] and the private sector,” National Cyber Director Sean Cairncross said Wednesday during a conversation with Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. “I’m not talking about the private sector, industry or companies engaging in a cyber offensive campaign,” he said.
The Office of the National Cyber Director has been working in recent months to ensure “that information is actionable, and there is an alignment of priorities” between the public and private sectors, he said.
Ruling out concepts such as hack back or other offensive cyber actions by private companies leaves a narrower and less clearly defined middle ground between passive information sharing and active disruption – and one that policymakers have yet to fully articulate.
For private sector partners to the feds across industry, the ambiguity is nothing new: Companies already share significant volumes of cyberthreat intelligence with the federal government through established programs and partnerships. Those efforts include sector-specific information sharing and analysis centers, as well as initiatives led by the Cybersecurity and Infrastructure Security Agency aimed at improving coordination between government and industry.
One area drawing increased attention is the potential role of internet service providers and telecommunications companies, which are uniquely positioned to observe and potentially act on malicious traffic moving across their networks. Some experts argue that these providers could play a more proactive role in disrupting cyberthreats, but only if longstanding legal and economic barriers are addressed.
“Right now our ISPs and telecommunications companies could disrupt more malicious traffic that they know is transiting their networks, but they really have no incentive to do that because it’s all downside and no upside for them,” said Michael Daniel, president of the Cyber Threat Alliance and former White House cyber coordinator. “If they get something wrong, they get sued. If they get something right, they get nothing,” (see: Trump’s Cyber Strategy Puts Private Sector on the Offensive ).
Other analysts echoed similar concerns in conversations with Information Security Media Group: While expectations for increased private sector involvement are rising, the incentives and protections needed to support that role remain largely unchanged.
Administration officials have pointed to potential updates to reporting requirements and regulatory frameworks, describing a need for more “common sense” rules that reduce friction and improve collaboration between government and industry. But those proposals, like much of the strategy, are high-level, with few concrete details on how reporting obligations might change or how regulatory burdens could be streamlined without weakening security.
Industry groups have largely welcomed the strategy’s emphasis on partnership, but have also stopped short of outlining specific new commitments or operational shifts.
USTelecom President and CEO Jonathan Spalter said broadband providers already “build and defend the networks Americans rely on every day” and are working closely with government partners to keep infrastructure secure.
Information Technology Industry Council general counsel John Miller said achieving the administration’s goals “will require deeper, real-time public-private information sharing and operational collaboration to detect, disrupt and deter malicious actors,” adding: “We encourage the administration to continue working closely with industry to ensure the United States can defend itself, protect its economy and take the fight to its adversaries in cyberspace.”
The Office of the National Cyber Director did not respond to a request for comment on what specific steps industry can take to expand data sharing and visibility.