CSIA 360: Cybersecurity in Government Organizations

Project 3: Public-Private Partnerships for Cybersecurity
For this research project, you will be helping identify best practices and strategies for encouraging business participation in public-private partnerships designed to improve cybersecurity for various critical infrastructure sectors. Your deliverable will be a research report which provides an overview of existing public-private partnerships, the types of cybersecurity improvements which are being addressed by such partnerships, the potential benefits to industry partners, and the potential risks and/or costs in resources. Your report should also address the types of due diligence activities a company should engage in before committing to participation in information sharing and other public-private partnership activities.

Research:
1. Read / Review the Weekly readings.

2. Research the concepts and structures for public-private partnerships as a means of furthering public policy goals. Your starting resources are:

a. What are Public Private Partnerships (World Bank) http://ppp.worldbank.org/public-private-partnership/overview/what-are-public-private-partnerships

b. The Policy Cycle http://www.policynl.ca/policydevelopment/policycycle.html

3. Research existing or proposed public-private partnerships in cybersecurity and critical infrastructure protection. Here are some sources to get you started:

a. http://www.lawandsecurity.org/Portals/0/Documents/Cybersecurity.Partnerships.pdf

b. http://csis.org/files/publication/130819_tech_summary.pdf

c. http://www.hsgac.senate.gov/hearings/strengthening-public-private-partnerships-to-reduce-cyber-risks-to-our-nations-critical-infrastructure

d. http://www.hsgac.senate.gov/download/?id=66d59b29-25ac-4dc1-a3af-040dcfe3bd38

e. http://www.hsgac.senate.gov/download/?id=5a70808b-ff76-411d-9075-5b21c7398bf5

4. Research the DHS led public-private partnership for Critical Infrastructure Cybersecurity improvements. You should also review the requirements and provisions of the NIST Cybersecurity Framework for Critical Infrastructure Protection. Find out why DHS is encouraging the adoption of this framework.

a. https://www.dhs.gov/ccubedvp

b. https://www.us-cert.gov/ccubedvp

c. https://www.us-cert.gov/sites/default/files/c3vp/smb/CCubedVP_Outreach_and_Messaging_Kit_SMB.pdf

5. Find additional sources which provide information about public-private partnerships for cybersecurity, i.e. Information Sharing and Analysis Centers (ISACs) or Information Sharing and Analysis Organizations. Here are two overview /directory web pages to help you get started.

a. http://www.dhs.gov/isao

b. https://www.nationalisacs.org/member-isacs

Write:
Write a five to seven page research report which includes a summary of your research. At a minimum, your report must include the following:

1. An introduction or overview for public-private partnerships which provides definitions and addresses the laws, regulations, and policies which permit this type of cooperation between federal, state, and local governments and private companies. This introduction should be suitable for an executive audience.

2. A separate section which provides an overview of public-private partnerships for cybersecurity which addresses the types of activities which a company could reasonably be expected to contribute to (e.g. information sharing, development of threat intelligence, development of risk profiles, etc.). You should provide 3 or more specific examples.

3. An analysis of whether or not participation in a public-private partnership is likely to have benefits for businesses (with specific examples of those benefits). After you address the benefits, address the problem of costs and/or risks which a company could expect to face (with specific examples). (One risk to consider is how much information about company operations could be exposed to the federal government.)

4. A set of recommendations or best practices for companies to engage in before committing to participation in a public-private partnership for cybersecurity. (Address the requirement for due diligence in decision making.)

5. A separate closing section in which you summarize your research and recommendation(s).