Public-private collaboration in the field of cybersecurity
On the 12th of January 2018, the World Economic Forum published a report called “Cyber Resilience. Playbook for public-private collaboration”, with the support of Boston Consulting Group.
This report provides with a list of 14 recommendations in order to face cyber threats affecting both public and private entities.
Research, data and intelligence sharing: What is the government’s role in sharing and promoting the dissemination of threat intelligence?
Zero-days: To what extent should the government be involved in the research, development and purchase of zero-day vulnerabilities and exploits? To what extent should government share these vulnerabilities with the private sector?
Vulnerability liability: Who is liable for securing a vulnerability? How should that liability shift if/when products transition to end-of-life?
Attribution: How should government engage with the private sector when the private sector publicly alleges that a particular actor is responsible for a given attack?
Botnet disruption: What should be done to prevent the proliferation of botnets? How should existing botnets be researched and studied? How should actors throughout the ecosystem disrupt botnets?
Monitoring: What should non-users be able to monitor to promote security and other valid national interests?
Assigning national information security roles: Which entities and organizations should be responsible for fulfilling different national information security roles?
Encryption: Who should be able to access sensitive data and communications?
Cross-border data flows: What are the security and non-security implications of countries exerting control over data?
Notification requirements: When should companies be required to notify relevant stakeholders that they have been breached or otherwise experienced a cyberincident? What sanctions should policy-makers apply to compromised organizations?
Duty of assistance: How should public resources be drawn upon in the wake of a cyberincident?
Active defence: What technical measures should the private sector be empowered to use to deter and respond to cyberthreats?
Liability thresholds: What is the reasonable duty of care that an organization should have? Who should bear the residual damages resulting from cyberincidents when an organization has sufficiently invested in security controls?
Cyberinsurance: What, if any, incentives should be offered to obtain insurance? Which entities should be prioritized for these incentives?
To help frame discussion for leaders in both the public and private sectors, as part of the World Economic Forum System Initiative on Shaping the Future of Digital Economy and Society, the Forum has partnered with The Boston Consulting Group to develop a baseline framework to serve as a springboard for cooperation and shared understanding in cybersecurity policy-making. This report is the result of extensive collaboration, debate, consultation, and iteration to distil complex and nuanced issues in cybersecurity to their irreducible core.
Source: World Economic Forum
In: Connectivity & Automation, Cybersecurity, Cybersecurity, Data, Safety