Using the Playbook for Public-Private Collaboration
The Playbook is intended to guide intra-state public-private collaboration on cybersecurity policy. This Playbook contains two distinct sections in service of that mission: the Reference architecture for public-private collaboration and the Cyber policy models.
Policy-makers and senior executives should begin by reviewing the Reference architecture for public-private collaboration for an overview of cybersecurity policy issues. After reviewing the Reference architecture, it is advisable to turn to a given policy question of interest and review the policy models, which frame each policy question.
Reference architecture for public-private collaboration
While leaders are accustomed to debating cybersecurity policy topics in isolation, there is seldom reflection on whether the sum of the parts of cybersecurity policy crafted on a day-to-day basis amounts to a coherent whole. It is easy to get lost in the particulars of any specific policy and neglect the unintended consequences of a given policy position on the broader edifice of cybersecurity policy. To help facilitate that discussion, the Reference architecture documents the key policy topics as well as some of the interdependencies that policy-makers should keep in mind (e.g. how threat intelligence sharing impacts the formation and disruption of botnets).
Each policy model provides a brief reference for a specific topic, helping leaders in the public and private sectors to develop a baseline understanding of the key issues. In particular, these models provide an analytical framework for approaching policy questions, and document the risks and trade-offs associated with each policy, importantly including the normative trade-offs as well. Where appropriate, these models include case studies that illustrate a key concept surfaced by the topic.
The intent of describing trade-offs is not to advance specific policy positions which “should” be taken. Rather, it is to frame the different choices that “could” be made, with the goal of encouraging clear-eyed discussion and debate.
This document will also not enumerate how to operationally implement a specific policy. Rather, the aim is to abstract away from any individual country’s context to provide a common language to discuss cybersecurity policy generally. In practice, implementation will vary by national context: every country has unique latent capabilities, risks, and normative values.
Connecting policy to values
Throughout this discussion of different policy models, on topics ranging from zero-days to attribution, this document will attempt to connect policy positions to the norms and values that those positions prioritize or embody. The intent is to discourage polarization in security dialogue and move beyond the rhetorical simplicity of prioritizing one value over all others (e.g. “privacy cannot exist without security”) or a false-choice narrative that freezes action-oriented debate into prolonged indecision.
In connecting norms and values to policy positions, this document encourages all actors to move past absolute and rigid positions towards more nuanced discussions. To encourage these discussions, the Playbook discusses the implications of policy choices on five key values: security, privacy, economic value, accountability and fairness.
These values were selected on the basis of the judgement of our Working Group, given its experience in the security ecosystem after considering more than 20 different values ranging from interoperability to social cohesion. For a detailed overview of these values were considered, from policy evaluation to normative judgement, please see “Normative trade-offs framework” in the appendix.