Public-Private Cybersecurity

Calls for public-private partnerships to address U.S. cybersecurity failures have become ubiquitous. But the academic literature and public debate have not fully appreciated the extent to which the United States has already backed into a de facto system of “public-private cybersecurity.” This system is characterized by the surprisingly important, quasi-governmental role of the private sector on key cybersecurity issues, and correspondingly by instances in which the federal government acts more like a market participant than a traditional regulator. The public-private cybersecurity system challenges scholarly approaches to privatization, which focus on maintaining public law values when government functions are contracted out to private parties. The informal and complicated structure of public-private relationships in cybersecurity renders concerns about public law values at once more serious and more difficult to remedy.

The Article first explores the line between public and private functions and provides a descriptive account of the public-private cybersecurity system. It highlights the relative roles of the U.S. government and private sector in four important contexts related to international cybersecurity threats: (1) disrupting networks of infected computers used by transnational criminal groups (“botnet takedowns”), (2) remediating software vulnerabilities that can be used for crime, espionage, and offensive operations (“zero-day vulnerabilities”), (3) attributing cyber intrusions to state-sponsored attackers, and (4) defending privately owned systems and networks from sophisticated, nation state-sponsored attackers.

The Article then uses the public-private cybersecurity system to challenge and complicate existing scholarship on privatization. Procedurally, the public-private cybersecurity system differs from traditional privatization because private actors — not the government — decide what functions they should perform, and private actors operate outside of contractual frameworks that have traditionally restrained private contractors. Substantively, the cybersecurity context implicates public law values addressed in prior work — including accountability, transparency, and due process or fairness — but it also raises additional concerns about security and privacy.

Evaluating how the public-private cybersecurity system attains and falls short of public law values yields broader lessons for cybersecurity governance and for privatization. The public-private cybersecurity system shows that concerns about public law values are not unidirectional — sometimes threats to public values come from the government, not the private sector. On the other hand, while empowered private parties play a crucial role in cybersecurity and in many ways currently support public values, this alignment is a present fortuity, not a structural feature, and so may shift in the future, posing new threats to public law values. These complexities require new kinds of context-dependent solutions to safeguard public law values. The Article concludes by suggesting several such remedies for the public law failings it identifies.

 

Download the paper from SSRN.