Governments should work closely with the private sector when designing and detailing their national cybersecurity strategies, a prominent think tank said in a report published on Monday.
“Active participation from the private sector, particularly large technology, telecommunications, and cybersecurity firms, is critical throughout the strategy’s development,” the Center for Cybersecurity Policy and Law (CCPL) said in its white paper. “The private sector can help not only support but also deliver on the government’s cybersecurity objectives and is key to a secure and resilient nation.”
CCPL’s report comes as President Donald Trump’s administration finalizes its own national cybersecurity strategy, which it is expected to roll out this month. The five-page document is expected to address digital deterrence, regulatory harmonization, workforce growth, procurement reforms, emerging technologies and critical infrastructure protection. The White House will follow up the strategy with an implementation plan.
It is unclear how extensively the Trump administration collaborated with the business community in drafting the strategy. But CCPL’s white paper identifies several reasons why close coordination could make the difference between success and failure in implementing the administration’s plan.
Not only does “broad, inclusive engagement” ensure that the strategy “addresses sector-specific concerns,” the report said, but “involving private sector actors, civil society organizations, and key government entities early in the process also helps foster trust-based partnerships for ongoing collaboration.”
CCPL compared nine countries’ cybersecurity strategies and identified common themes in their priorities. Public-private partnerships and centralized coordination were two of the most consistent features, the report said.
CISA worries
Trust could prove to be a stumbling block for the forthcoming U.S. strategy, which is expected to rely heavily on the Cybersecurity and Infrastructure Security Agency (CISA) despite the Trump administration hollowing out the agency and weakening its bonds with state, local, industry and international partners. It is unclear how much input the White House sought on the strategy from CISA or the other agencies that help protect various critical infrastructure sectors from digital and physical threats.
CISA’s level of involvement and resources could determine the fate of Trump’s cybersecurity strategy. The CCPL report argued that an effective strategy relies on “the designation of an overall lead authority with a clear mandate and authority” to spearhead efforts. “A centralized body … can serve as the focal point for coordination, guidance, and information sharing,” the report said. “Given the number of institutions with roles in cybersecurity, strong coordination mechanisms are essential to avoid fragmentation and turf issues.”
Congress designed CISA to play that coordinating role in the U.S. But under the Trump administration, workforce cuts and program turmoil have hobbled its ability to do so, cybersecurity experts and U.S. officials have told Cybersecurity Dive.
The new report also highlights the importance of dedicating funding to new cybersecurity projects, something it is unclear whether the Trump administration will do. “Without adequate investment and attention,” CCPL said, “the actions envisioned in the strategy’s policy pillars will remain unfulfilled, and its goals will not be achieved.”
Policy recommendations
In address to process, the report also covers substance, diving into several topics that a cybersecurity strategy should address. Among those “foundational principles,” according to CCPL, are education and workforce development, product security and cyber hygiene, artificial intelligence governance, quantum computing preparedness and critical infrastructure resilience.
Strategies should also incentivize companies to report cyber incidents, streamline regulations to reduce the burdens on businesses and “lead by example” through flexible, risk-based security standards for government computer networks.
