Evolving Role of Government in Cyber Security

The 21st century has so far signaled an era of wide-scale deregulation and privatization, with much of the nation’s critical infrastructures (energy, transport, finance, medicine) now in the hands of the private sector.

These critical infrastructures are constantly targeted by adversaries ranging from non-state actors such as terrorist groups, hacktivist groups, organized criminals, etc. to state actors, and due to our high degree of interconnectedness across the globe, security incidents can exert cascading and crippling effects nationally, regionally and even internationally. 

Part of the reason why it can be difficult to secure critical infrastructures is due to the divergence of interests between the private and public sectors. The private sector’s primary focus is corporate efficiency: in terms of security, it does what it believes is “enough”, implementing the bare minimum level of security, since its main goal is profit-making. The government, in contrast, is principally concerned with achieving social order, national security and economic prosperity for its population.

A 2010 Euro Social Survey reported that almost 70% of EU citizens find it very important that governments ensure the safety of citizens against all threats. Yet governments today do not provide close supervision of, or operational control over, these critical infrastructures that now fall within the realm of the private sector. As a result, it has been argued that the role of government as the legitimate provider of security has diminished, and that it will continue to weaken moving forward.

As I meet with different governing bodies around the world, my strong impression is that this matter is by no means straightforward for them, and that they are indeed grappling with the challenge of determining what their roles in cyber security could or should be, especially vis-a-vis the private sector.

I argue, however, that the changing global landscape should not require that the role of governments as the legitimate provider of security be diminished, on the condition they are able to understand clearly how the world has changed and is changing, and what their role(s) should be within this new environment of increasing interconnectedness.

Furthermore, I argue that, in order for governments to be successful in this new environment, their remit must transcend what their historical regulatory role has typically entailed. They now need to tackle the questions of how they can best assist the private sector to invest in security (facilitation), and how public and private sectors can together improve the current state of security (collaboration). To formulate a viable approach going forward, this is the framework through which governments must strategize, and they must be ready to draw upon analogous lessons learned from past preparedness efforts geared towards other areas of threat, such as pandemic and terrorism.

For more information and to view my presentation on Cyber Security please visit our slideshare account here

About Kah Kin Ho

Kah-Kin Ho has been with Cisco for more than 17 years and in his current position as the Head of Cyber Security Business Development he has been involved in providing thought leadership to private and public sector organizations on how to respond to cyber risk and threat. Prior to this, he was a Solution Architect in the Global Government Solutions Group involved in large Defense programs in Asia Pacific and Europe. In addition Kah-Kin had spent 4 years working with Defense System Integrators to jointly develop solutions for the Tactical Battlefield. Kah-Kin has also filed 2 US Patents on IP Networking protocols. Kah-Kin graduated from the State University of New York at Buffalo with Bachelor and Master of Science degrees in Electrical Engineering. He also has a Master degree in Security Policy and Crisis Management from ETH Zürich. Kah-Kin Ho a joint les rangs de Cisco il y a plus de 17 ans et occupe présentement le poste de chef du développement des affaires de cybersécurité. Il offre aux organisations des secteurs public et privé son leadership éclairé sur la façon de réagir aux risques et aux menaces informatiques. Avant d’occuper ce poste, il agissait à titre d’architecte de solution au sein du groupe de solutions mondiales pour le gouvernement, participant à d’importants programmes de défense en Asie du Pacifique et en Europe. De plus : Kah-Kin avait travaillé avec des intégrateurs de système de défense pendant 4 ans afin de développer conjointement des solutions pour le champ de bataille tactique. Kah-Kin a également déposé deux brevets aux États-Unis sur les protocoles de réseaux IP. Kah-Kin est diplômé de l’Université de l’État de New York à Buffalo, ayant obtenu un baccalauréat et une maîtrise en sciences du génie électrique. Il est également titulaire d’une maîtrise de l’ETH Zürich en stratégie de sécurité et gestion des crises.
This entry was posted in All Posts and tagged , , , , , , . Bookmark the permalink.

2 Responses to Evolving Role of Government in Cyber Security

  1. Albert Essandoh says:

    Kah Kin Ho, thanks for your excellent thinking here. Surely, one can agree with your suggestions, especially when there is a lack of supervision of critical infrastructures and/or operational controls in the private sector. However, the issue that keeps coming up in this discourse about the role of government, is the extent to which the private sector can be trusted, knowing that, they have a profit or corporate efficiency agenda, which limits them to related resources, whereas govt is interested in “achieving social order, national security and economic prosperity for its population.” One can agree there is a need for some form of collaboration and shared approach within your paradigm where govt must have an updating system to keep them abreast with implementing current changes. Do you think it is time to see non profit organizations help bridge the gap between corporate and government interests in this matter? Do you think your model will be helpful to the Chinese who already have much within their control? Thanks for sharing.

  2. Kah Kin Ho says:

    Hi Albert,

    thank you for your interesting comments on my blog article. I have had the opportunities to participate in a number of Chief Information Security Officer (CISO) round tables and these CISOs are mostly from pretty prominent private sector organizations, quite a few of which own critical infrastructures in different countries. My observation is there are quite a few factors influencing how much a private sector organization is willing to invest in security. For example in some organizations there is no strong security culture within the upper management ranks, so the CISO is really fighting an uphill battle in trying to get security on top of his / her organization’s agenda. Some organizations have the belief that if you want to solve the security problem, all you have to do is to go out there and buy point security products but they are not allowed to hire more skilled security people. There are a lot more factors than what I can enumerate in this response, but what I strongly believe is governments must play a contributing role and be willing to pony up resources in the form of money and people to help with this. What governments should do is to understand the different factors affecting how private sector make security investment, and with that understanding, governments can use a combination of the 3 measures that I introduced in my article (Regulate, Facilitate, Collaborate) to affect change in private sector’s attitude and behaviour toward security.

    On whether there is a need for non-profit organizations helping to bridge the gap, I think it comes down to the 2-way trust between the private and public sector. If there is a trust deficit I can see how a trusted 3rd party organization playing an instrumental role in this. Not sure if I can answer the question whether the model can help the Chinese, but generally speaking less democratic countries are more focused on regulating content whereas the more democratic countries have less emphasis on regulating content and are more focused on threat to their critical infrastructures.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s