Asked Questions: National Cyber Security Partnership
is the National Cyber Security Partnership?
National Cyber Security Partnership (NCSP) combines representatives
industry and academia working together to harden
the nation’s cyber defenses. The partnership provides
a forum, structure and common agenda for interdisciplinary,
information exchange with government. Lead organizations of
the partnership are: the Business Software Alliance, Information
Association of America, TechNet and the U.S. Chamber of Commerce.
The public-private partnership was formed during the National
Cyber Security Summit on December 3, 2003, which aimed to gather
security experts across disciplines to embark on a work program
to develop recommendations for implementing key challenges
in the 2003 National Strategy to Secure Cyberspace.
does NCSP relate to the U.S. Department of Homeland Security
or the White House National Strategy to Secure Cyberspace?
partnership has no formal relationship with the Department
of Homeland Security (DHS), although DHS Secretary Ridge
issued a call to action at the December Summit, and the agency
welcoming partnership recommendations and will consider which
initiatives it may support.
As to the National Strategy, creation of this document in
2003 was an important first step in recognizing the critical
of information technology in the nation’s critical infrastructure
industries and defining high-level approaches to strengthening
the security of these systems. Since the release of the strategy,
the government has initiated a sweeping reorganization of its
homeland security and cyber security agencies. The partnership
new sense of momentum to realizing the public-private partnership
envisioned in the strategy and acting on its recommendations.
Why is the partnership necessary?
The partnership was conceived as a cross-sectoral initiative
to respond to the multifaceted challenges identified in the
National Strategy. Cyber security suppliers and customers
security is a "weakest link" issue that cuts across
industry boundaries, impacts businesses of all sizes, as well
as home users,
and requires responsible action from all stakeholders. While
several groups exist to build cyber security awareness or share
no single group has the scope in terms of mandate or composition
to address the entire problem.
How is the partnership structured and why is it structured
The partnership is comprised of five task forces, with each
addressing a key challenge identified in the National Strategy:
for Home Users and Small Businesses; 2) Cyber Security Early
Warning Systems; 3) Corporate Governance; 4) Technical Standards
Criteria; and 5) Security Across the Software Development
Life Cycle. These groups met for the first time at the 2003
and serve as the partnership’s primary mechanism for
moving from plan to action.
Who is managing these task forces?
The task forces are managed by the lead organizations of
the partnership: the Business Software Alliance (Software
Technology Association of America (Early Warning Task Force);
TechNet (Corporate Governance and Technical Standards task
the U.S. Chamber of Commerce (Public Awareness Task Force).
The management of these task forces is primarily a secretariat
the task force memberships — on average, about 25 to 30 people
each — provide the substantive expertise to task force
What are the major activities of the partnership?
Partnership task forces have met numerous times during the
first quarter of 2004 to pursue the goals and objectives
the December Summit. Each task force has prepared a series
of recommendations, available on the partnership website
The partnership task forces on Awareness and Early Warning
released their recommendations on March 17, 2004. Other task
release their recommendations later in March and in April.
What are the most significant recommendations of the partnership?
A brief synopsis of the recommendations, activities and deliverables
of the Awareness and Early Warning task forces follows:
Awareness: Developed a Small Business Guidebook to Cyber
Security for small businesses and made available, for free,
Risk Profiler with cyber scoring — technology to assist
small businesses in identifying and managing their cyber risk.
outreach relationships to vertical industries, government agencies,
educators and other key stakeholders.
Early Warning: Proposed creation of a National Early Warning
Contact Network (EWAN). Designed to bolster early warning
information-sharing about cyber security vulnerabilities,
threats and incidents
and across industries, EWAN would be a multi-channel communications
network involving new and existing information sharing networks,
initially housed at US-CERT and implemented by late fall
Proposed development of a National Crisis Coordination Center
(NCCC). A physical structure staffed by critical infrastructure-sector
experts, as well as representatives from federal, state and
government, the NCCC would provide large-scale cyber and
physical security crisis coordination operations, effective
The partnership task forces on Corporate Governance, Technical
Standards and Software Development will release their recommendations
later in March and in April.*
will the recommendations of the partnership be implemented?
Implementation strategies vary by recommendation. Some
involve a better rationalization of existing resources.
voluntary adoption by industry. Still others require
government endorsement and funding.
How is the partnership funded?
The partnership is based on the voluntary, in-kind contribution
of services by the principal trade associations and participating
How will specific partnership initiatives be funded?
Will government money be required?
Partnership activity will continue to be based on the
in-kind model. In certain instances, such as the creation
Coordination Center, government will be asked to contribute
substantially to the necessary funding.
If these recommendations were implemented,
would the nation’s
cyber security problems be solved?
Like most risks in life, cyber security risks can be
mitigated, but not completely eliminated. The nature
of the threat
is constantly evolving. Not all companies and institutions
share the same
level of commitment to protecting their cyber-dependent
resources from attack. A certain percentage of home users
uninformed about online security best practices. The
however, that widespread adoption of its recommendations
will substantially reduce the nation’s cyber security vulnerability.
Does the partnership recommend a stronger role for government
in mandating cyber security?
The partnership believes that government must remain
a strong advocate for heightened cyber security and must
this area by raising its own cyber security profile.
partnership advocates increased spending by government
agencies to put
in place the appropriate people, processes and technologies
this purpose. The partnership believes that attempts
by government to legislate or regulate cyber security
creating a "least common denominator" for cyber security
practitioners and doing little to stop those intent on wrongfully
hacking into systems.
What gives these recommendations real teeth?
Industry must take proactive steps to demonstrate its
commitment to making substantial improvements in this
by the partnership to carry through on its recommendations
to adopt them will open the door for greater government
Will the partnership dissolve after this rollout?
The partnership will continue its activities into the
foreseeable future. While certain recommendations may
pursued and accomplished, other requirements may be identified
new task forces assembled. The partnership has been highly
in pulling together technology and policy experts from
a wide range of organizations, and its effectiveness
continue to be emphasized.