The responsibilities of public and private sector organizations differ as a function of the threat region. In all regions of the threat from everyday to strategic, however, each sector of society has some responsibility.
The primary responsibility for the Everyday region of the threat topology falls upon the private sector. First and foremost, private sector organizations must assume responsibility for the protection of their own systems. When security laws and regulations are legislated and formulated, these organizations will, of course, also be responsible for adhering to these rules of the game.
Given the time it may take to develop and put in place a legal and regulatory framework to deal with the myriad of information security issues, it is proposed that on a voluntary basis, private sector organizations assume the responsibility for reporting incidents. It is hard to overstate the importance of the collection of information related to information attacks and their analysis. Without the development of a body of knowledge concerning these attacks, efforts at building defenses will be severely hampered.
The Government (including the federal, state, and local levels) must assume certain responsibility for this region of the threat topology as well. Clearly, the Government bears the responsibility for protecting its own systems and for the enforcement of appropriate laws and regulations. Given the importance of gaining international cooperation on this problem that knows no state boundaries, the Government must take on the negotiation of the necessary treaties and agreements.
Clearly, the collection of incident data with respect to its own systems is also a Government responsibility. But given the importance of pooling information to gain a more accurate situation assessment, the Government must also put in place appropriate mechanisms for data sharing, analysis of data, and the dissemination of results. Issues related to classification and security of these data and the products of these analyses will need to be addressed. A way must be found to get the information that individuals and organizations need to defend themselves to those involved in the effort.
The Federal Government has the responsibility for the defense of the Strategic region of the threat topology, albeit with some support in selected areas from the private sector and state and local governments. Given the dynamic and interactive nature of this situation, it is important that the current and emerging threat be as fully understood as possible. Therefore, utilizing information collected as well as information reported by others, the Federal Government has the responsibility to perform strategic threat analyses on an ongoing basis.
The Federal Government also needs to develop an appropriate deterrence strategy designed to dissuade potential attackers. Strategic systems must be monitored and surveillance operations must be mounted.
Obviously, the Federal Government has the responsibility for protecting strategic information and the systems that collect, store, process, and disseminate this information.
Finally, the Federal Government needs to develop plans for reconstitution of damaged or disrupted systems and lost, compromised, or damaged information and for implementation of these plans should an event occur.
The private sector also has a role to play in this region of the threat topology. First, many strategic systems depend to some extent on the availability and integrity of private sector or state and local government information and systems. Second, some private sector or state and local government information and systems may be so critical that they are, for all intents and purposes, strategic. In both these cases, organizations need to cooperate with the Federal Government to protect these systems and the information they handle. Developing an adequate understanding of the threat requires that all organizations report incidents and share data related to attacks, whether successful or not. Thus another responsibility that must be assumed by private sector organizations is the prompt reporting of incidents and related information.
The division of responsibilities for this region of the threat topology is not as clear-cut or as familiar as for the other two regions. In this zone of collaboration, public and private sector organizations need to find ways and create mechanisms that foster a shared perception of the nature of the threat, particularly those aspects of a situation that increase the likelihood of strategic consequences. In addition, ways should be found to enhance our defenses and improve our ability to mitigate the effects of attacks in this region to prevent them from having strategic consequences.
In this region, the Government needs to take the lead in helping to develop the necessary understanding of the threat, while the private sector needs to support Government efforts by providing incident data. The Government also needs to take the lead in developing coordinating mechanisms designed to both support improved understanding and the coordination of defenses.
The two biggest challenges associated with this pivotal threat region are first, the recognition of when an attack of strategic significance has begun and in characterizing the nature and scope of the attack and second, in the effecting of a transition from a "peace time" to a "war time" footing. The success of the processes and mechanisms developed to coordinate this transition will be critical to the success of any IW-D strategy.
The private sector needs to take the lead in this region by turning improvements in understanding into more effective defenses. This includes not only enhanced detection tools and techniques but also an improved ability to contain an attack, thereby limiting its spread, damage, and consequences. The Government needs to assist the private sector in these efforts by providing resources and technical support. Resources might take the form of tax incentives, or as was recommended in the case of some private sector systems that were deemed to be strategic, direct payments.