About Us Initiatives Press/News Links/Resources Contact Events Privacy Policy
Overview FAQ

Frequently Asked Questions: National Cyber Security Partnership

What is the National Cyber Security Partnership?
The National Cyber Security Partnership (NCSP) combines representatives from government, industry and academia working together to harden the nation’s cyber defenses. The partnership provides a forum, structure and common agenda for interdisciplinary, cross-industry information exchange with government. Lead organizations of the partnership are: the Business Software Alliance, Information Technology Association of America, TechNet and the U.S. Chamber of Commerce. The public-private partnership was formed during the National Cyber Security Summit on December 3, 2003, which aimed to gather cyber security experts across disciplines to embark on a work program to develop recommendations for implementing key challenges posed in the 2003 National Strategy to Secure Cyberspace.

How does NCSP relate to the U.S. Department of Homeland Security or the White House National Strategy to Secure Cyberspace?
The partnership has no formal relationship with the Department of Homeland Security (DHS), although DHS Secretary Ridge issued a call to action at the December Summit, and the agency is welcoming partnership recommendations and will consider which recommended initiatives it may support.

As to the National Strategy, creation of this document in 2003 was an important first step in recognizing the critical role of information technology in the nation’s critical infrastructure industries and defining high-level approaches to strengthening the security of these systems. Since the release of the strategy, the government has initiated a sweeping reorganization of its homeland security and cyber security agencies. The partnership brought a new sense of momentum to realizing the public-private partnership envisioned in the strategy and acting on its recommendations.

Why is the partnership necessary?
The partnership was conceived as a cross-sectoral initiative to respond to the multifaceted challenges identified in the National Strategy. Cyber security suppliers and customers recognize that security is a "weakest link" issue that cuts across industry boundaries, impacts businesses of all sizes, as well as home users, and requires responsible action from all stakeholders. While several groups exist to build cyber security awareness or share information, no single group has the scope in terms of mandate or composition to address the entire problem.

How is the partnership structured and why is it structured this way?
The partnership is comprised of five task forces, with each addressing a key challenge identified in the National Strategy: 1) Awareness for Home Users and Small Businesses; 2) Cyber Security Early Warning Systems; 3) Corporate Governance; 4) Technical Standards and Common Criteria; and 5) Security Across the Software Development Life Cycle. These groups met for the first time at the 2003 Summit and serve as the partnership’s primary mechanism for moving from plan to action.

Who is managing these task forces?
The task forces are managed by the lead organizations of the partnership: the Business Software Alliance (Software Task Force); Information Technology Association of America (Early Warning Task Force); TechNet (Corporate Governance and Technical Standards task forces); and the U.S. Chamber of Commerce (Public Awareness Task Force). The management of these task forces is primarily a secretariat function; the task force memberships — on average, about 25 to 30 people each — provide the substantive expertise to task force recommendations.

What are the major activities of the partnership?
Partnership task forces have met numerous times during the first quarter of 2004 to pursue the goals and objectives formulated at the December Summit. Each task force has prepared a series of recommendations, available on the partnership website at www.cyberpartnership.org. The partnership task forces on Awareness and Early Warning released their recommendations on March 17, 2004. Other task forces will release their recommendations later in March and in April.

What are the most significant recommendations of the partnership?
A brief synopsis of the recommendations, activities and deliverables of the Awareness and Early Warning task forces follows:

Awareness: Developed a Small Business Guidebook to Cyber Security for small businesses and made available, for free, a Cyber Risk Profiler with cyber scoring — technology to assist small businesses in identifying and managing their cyber risk. Created outreach relationships to vertical industries, government agencies, educators and other key stakeholders.

Early Warning: Proposed creation of a National Early Warning Contact Network (EWAN). Designed to bolster early warning information-sharing about cyber security vulnerabilities, threats and incidents within and across industries, EWAN would be a multi-channel communications network involving new and existing information sharing networks, initially housed at US-CERT and implemented by late fall 2004.

Proposed development of a National Crisis Coordination Center (NCCC). A physical structure staffed by critical infrastructure-sector experts, as well as representatives from federal, state and local government, the NCCC would provide large-scale cyber and physical security crisis coordination operations, effective in 2006.

* The partnership task forces on Corporate Governance, Technical Standards and Software Development will release their recommendations later in March and in April.*

How will the recommendations of the partnership be implemented?
Implementation strategies vary by recommendation. Some involve a better rationalization of existing resources. Others involve voluntary adoption by industry. Still others require government endorsement and funding.

How is the partnership funded?
The partnership is based on the voluntary, in-kind contribution of services by the principal trade associations and participating companies.

How will specific partnership initiatives be funded? Will government money be required?
Partnership activity will continue to be based on the in-kind model. In certain instances, such as the creation of the National Crisis Coordination Center, government will be asked to contribute substantially to the necessary funding.

If these recommendations were implemented, would the nation’s cyber security problems be solved?
Like most risks in life, cyber security risks can be mitigated, but not completely eliminated. The nature of the threat is constantly evolving. Not all companies and institutions will share the same level of commitment to protecting their cyber-dependent resources from attack. A certain percentage of home users will remain uninformed about online security best practices. The partnership believes, however, that widespread adoption of its recommendations will substantially reduce the nation’s cyber security vulnerability.

Does the partnership recommend a stronger role for government in mandating cyber security?
The partnership believes that government must remain a strong advocate for heightened cyber security and must demonstrate leadership in this area by raising its own cyber security profile. The partnership advocates increased spending by government agencies to put in place the appropriate people, processes and technologies to accomplish this purpose. The partnership believes that attempts by government to legislate or regulate cyber security would be counterproductive, creating a "least common denominator" for cyber security practitioners and doing little to stop those intent on wrongfully hacking into systems.

What gives these recommendations real teeth?
Industry must take proactive steps to demonstrate its commitment to making substantial improvements in this area. Failure by the partnership to carry through on its recommendations or by companies to adopt them will open the door for greater government involvement.

Will the partnership dissolve after this rollout?
The partnership will continue its activities into the foreseeable future. While certain recommendations may be proposed, pursued and accomplished, other requirements may be identified and new task forces assembled. The partnership has been highly effective in pulling together technology and policy experts from a wide range of organizations, and its effectiveness at consensus-building will continue to be emphasized.