One of the buzzwords and oft stated goals is to develop a successful public / private partnership, and this came up quite a bit at Smart Grid Security East. Perhaps we are mistaken in expecting it to regularly work or even believe that it can be successful in most cases where interests are not very closely aligned and the benefits not large enough to prioritize the project and assign scarce resources.
First, regulation is not a partnership.
I would argue that funding is not a partnership, even when there is cost sharing. When the DoE funds part of Digital Bond’s Bandolier research or DHS funds part of Digital Bond’s Quickdraw reseach, those organizations are our clients or customers. We have deliverables. When DoE funds NESCO or NESCOR they are trying to create an organization that can foster a public/private partnership, the funding itself is not a partnership.
In the commercial world there are many partnerships, and most of these partnerships achieve little more than a press release and a bit of marketing buzz. You see these with vendor A with a product or system partnering with a security product or service vendor B, and we cover the ICS version of these in Friday News & Notes. It is not surprising that most of the partnerships don’t produce results because the interests are not well enough aligned for people to put in the time and resources to succeed. Both parties have to see great value in the effort to prioritize it over so many other possible products, let alone expend the resources to make it successful. Most of the partnerships are genuine in their origin, but just fade away.
So if commercial partnerships fail frequently to produce any results, why should we assume that public/private partnerships will have a higher success rate? In fact it may be harder for the interests to align than in business where you can build a business case based on costs and revenue. What is the dollar value to a business in participating in a security standards effort? or information sharing? The costs are clear, but the revenue is what?
There are some examples of public/private partnership success, such as NISTIR 7628. The government and industry wanted a security guideline document, and both committed time and money to develop it in a relatively short time. The level of participation was significant, especially as contrasted to efforts like the working groups in ICSJWG/PCSF. Those efforts have failed for years because industry doesn’t see enough benefits to prioritize participation. It is like the press release partnership. Industry and government can tell a good short story about the effort, goals and would like to see it work. It is not a fraud; it just is considered to be important enough to prioritize and commit resources.
Public/private information sharing partnerships have failed repeatedly. A better way to share the information isn’t the problem. Like many failed partnerships it is the two parties don’t see the value to do what it takes to make the partnership succeed . . . so far.
Image from USACorners.com