“Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.”
John Perry Barlow, “A Declaration of the Independence of Cyberspace”, Davos, 1996¹
1. Electronic Frontier Foundation. Barlow, J. P. (2017, 16 May). “A Declaration of the Independence of Cyberspace”. Retrieved 11 December 2017 from https://www.eff.org/cyberspace-independence
“Like in the real world, freedom and order are both necessary in cyberspace. Freedom is what order is meant for and order is the guarantee for freedom. We should respect internet users’ rights to exchange their ideas and express their minds, and we should also build a good order in cyberspace in accordance with law as it will help protect the legitimate rights and interests of all internet users. Cyberspace is not a place beyond the rule of law. Cyberspace is virtual, but players in cyberspace are real.”
Xi Jinping, “At the Opening Ceremony of the Second World Internet Conference”, 2015
“Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms. We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched — but as an industry leader we can and must do better… We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it.”
Bill Gates, “Trustworthy Computing”, 2002
States have an obligation to provide security for their citizens. The increasingly networked, digitized and connected world has enlarged and complicated that obligation. These changes have also created new obligations, shared among a variety of actors, from states to corporations to civil society and individuals.
To meet this rapidly expanding obligation, leaders have taken a variety of approaches to securing their digital domains. These policies are shaped by their experience with the networked world and unique national objectives and vulnerabilities. For all their differences, however, these policy approaches to assuring security share a significant commonality: success depends on collaboration between the public and private sectors.
However, effective collaboration is uniquely difficult in the domain of cybersecurity. Cyberthreats are complex, with an ever-expanding and exposed surface for malicious actors to exploit. Each new innovation brings with it new and sometimes unexpected vulnerabilities. That complexity is compounded by the speed and ease with which threats materialize in the digital domain — no expensive “Manhattan Project” style effort is necessary to weaponize computer science. Additionally, the first line of security here is rarely the government. Rather, the first line of security is comprised of the firms and organizations developing this increasingly networked, digitized and connected space.
Public-private collaboration is almost always difficult because of the complexity underlying the interplay between the roles, responsibilities and obligations that the public and private sectors have vis-à-vis each other and the citizens who rely on them. The difficulties of public-private collaboration are magnified when a topic, such as security, is deeply connected to notions of sovereignty: multinational businesses and customers walk a tightrope between potentially contradictory national obligations.
In the case of cybersecurity, that tension is further strained by the decidedly personal nature of securing bits and pieces of an increasing portion of people’s lives. The relationship and — at times trade-off — between security and other values magnifies the need to be inclusive in representing and negotiating between different interests and principles.
Despite these challenges, advancing cyber resilience requires the public and private sectors to collaborate in new and innovative ways. This Playbook is recommended for use by the public and private sectors, together, as a tool to facilitate discussions on building the institutions, frameworks, policies, norms and processes necessary to support collaboration in this vital space.