The Business Roundtable (BRT) identified theft of intellectual property and the development of tools and capabilities to disrupt critical services that support the world’s economy, security and public safety as the top concerns.
The BRT cybersecurity recommendation report postulates that the single most important element of an effective cybersecurity policy is information sharing. “Effective information sharing is not only an exchange of threat information but also a robust set of trusted, well-structured and regularised policies and processes among the US government, international allies and private-sector entities,” the report said. “Cybersecurity threats from nation-states and other well-funded, highly motivated actors present risks that neither the public nor the private sector can unilaterally address.”
The group identified effective information sharing as including the two-way exchange of alerts, response actions, situational awareness and mitigation analysis. However, it warned that the government is falling down on the job in this regard.
“Instead of focusing on information sharing and collaborative risk management, government proposals misdirect scarce public and private-sector resources to compliance-based, check-the-box models,” said the report. “These proposals place the cart before the horse by calling for government creation of cybersecurity practices and standards before much-needed information sharing legislation is passed and implemented. Ultimately, these compliance-based solutions would fail to create an adaptive and collaborative structure that would allow the public and private sectors to advance risk management models capable of managing cybersecurity threats as they continue to evolve.”
Instead, a cross-sector approach that allows government and the private sector to exchange the specific threat information will require the public sector to create a clear and concise legal framework for both private sector-to-private sector and private sector-to-public sector sharing, with appropriate liability, antitrust and freedom of information protections for those acting within the framework.
Once cyber threat information is readily shared between the public and private sectors, it will be necessary to expand existing efforts to develop threat-informed risk management and mitigation methodologies. To accomplish threat-informed risk management, new policies must build on existing sector coordinating councils and government operations centers and must position senior public and private-sector leaders to collaboratively oversee cyber security efforts, the BRT recommended.
“BRT CEOs will invest in the infrastructure necessary to receive shared threat information and will develop the capabilities required to integrate cyber-security threat and risk information into CEO risk management,” the group said. “BRT also recommends that boards of directors, as part of their risk oversight functions, continue to periodically review management’s business resiliency plans, including cybersecurity, and oversee risk assessment and risk management processes, including those applicable to cybersecurity.”
The roundtable represents US companies with more than $7.3 trillion in annual revenues and nearly 16 million employees – a third of the value of the New York Stock Exchange.