Most importantly, civil defense groups can and should be supported by the government under crisis conditions. In other countries, the receipt of strong private support and encouragement by such groups has translated into situational compensation during response periods. Members with certifications and community roles can be compensated for incident response duties performed, something that encourages membership in civil defense organizations based on community and national concern.

The United States has a tradition of private support for such initiatives, including the pre-WWI preparedness movement and the WWII-era Civil Air Patrol, each of which helped develop strong working partnerships between industry and government based on shared civic interests and engagement. With cybersecurity, active support for a network of civil defense groups could also succeed along these lines, creating the foundation of shared private-civic interests and capabilities that CISA strategic efforts (and constrained funding!) can plug into. 

2. Target constellations of influence

Related to the need for whole-of-society collective approaches for building better P3 efforts, private cybersecurity stakeholders should better organize their outreach. In part, this means that cybersecurity practitioners and their business counterparts should internalize the fact that speaking to the public about risks and vulnerabilities is a net positive for both firms and society.

Consider the example of Biden administration activity just prior to the 2022 launch of Putin’s invasion of Ukraine. By rapidly de-classifying threat information about Russian mobilization, the US government risked heightened vision into the intelligence activities of America’s defense community, even opening space for criticism about past support for Ukraine. Yet, what followed was the generation of powerful audience cost effects in favor of supporting Kyiv.

By framing Western vulnerability and know-how in the same pragmatic image of imminent threat, the Biden administration cultivated immense popular acknowledgement of the negative repercussions of not committing resources to a previously unpopular type of security support mechanism. The same kind of messaging on cybersecurity can only bring net benefits for industry cybersecurity stakeholders.

If the goal of the JCDC is at least partly to graft CISA’s map of strategic digital vulnerability onto civil and industry partnership collaboratives, then more direct attempts to build common understanding and demonstrate audience costs for inaction will insulate private actors whose messaging involves admitting vulnerability. It would also make the support of volunteer service intermediaries a much more tenable model for civil defense than anything that currently exists in the United States.

In part, better organization of outreach for industry also means being smart about which decision-makers and networks of officials are critical for selling a vision of private-led P3. Robust civil cyber defense as an aid to traditional crisis response and mitigation capabilities doesn’t just require accessing constellations of influence among the public. It also means access switchers and programmers in public service. Switchers are those people with the power to constitute and define networks dedicated to a purpose, such as technical experts who make decisions about how to deploy and manage technology that dictates how an organization operates. Programmers are those with the capacity to ensure that networks (e.g., security teams, companies, developers) can work together by ensuring common language, goals, etc.

Public-private partnerships are ostensibly about blending people like this together to produce a better outcome via collaboration than was previously the case. Unfortunately, as criticism of the JCDC emphasizes, top-down P3 efforts often fail to effectively do so due to the role of strategic parameters driving derivative mission parameters. If industry is to shape P3 cyber initiatives CISA’s more clearly toward alignment with practical tactical considerations, mapping out where innovation and adaptation comes from in the interaction of key individuals spread across a complex array of interacting organizations (particularly during a crisis) becomes a critical common capacity.

3. Use academia and the rest of the world

Related to this need for better mapping of the response landscape to aid outreach, industry stakeholders must eschew all notions of American exceptionalism (or, at least, the idea that the United States constitutes a unique attack surface). As already mentioned, foreign P3 activity is in many cases far in advance of what exists in the US and can serve as reasonable models for experimentation in building collaboration beyond what is proposed from the top on down. Moreover, incidents encountered by private actors in other countries can and should serve as a basis for collective efforts to actively model and prepare for future calamity.

There is a strong case to be made for building shared analytic resources that leverage not just the traditional technical focus of so many cybersecurity initiatives, but also the institutional-strategic focus that the federal government so often emphasizes. Here, academics and universities are obvious partners, particularly where partnerships can be developed within local and state-level communities.

Collaboration with the goal of learning more about the governance of cyber threat response and the interaction of strategic fallout with operational practicalities can only serve to enhance industry preparedness and, perhaps more importantly, generate popular awareness that is so critical for eventual P3 success. Scholars and pracademics (“practitioner-academics”) are often invaluable interlocutors for translating shared interests expressed in divergent fashion between public and private partners.

4. Improve workforce pipeline tie-ins

While it plays into each solution so far, perhaps the simplest step that private actors can take to signal greater buy-in to partnership with the public sector is greater engagement with the pipelines for workforce development. Higher education is constantly improving these pipelines. Community college cybersecurity programming is often geared toward public service with strong support from organizations like the NSA or DHS. Signaling support for such programs by hiring graduates and sponsoring events sends a strong positive message about what is working with federal outlays on national cybersecurity (as many firms already do). Working to strengthen these pipelines further by engaging pre-college students, lobbying localities for worker retraining support and more could take that signal much further.

5. Don’t spare cybersecurity vendors

Finally, as others have suggested, cybersecurity stakeholders can’t shy away from the fact that P3 initiatives like the JCDC is presenting are dominated by cybersecurity vendors. There are numerous reasons why this is unsurprising. Most significantly, vendors’ voices are often amplified by market share and the reality that many federal officials (the switchers and programmers) see national digital security futures as at least partly driven by design considerations. This dynamic does not change the reality that bottom-up collaborative security solutions in America are desirable beyond what current P3 efforts are providing.

Similarly, secure-by-design conversations must involve voices beyond vendors, the government, and the often-inexpert consumer. Security teams have a distinct responsibility to point out flaws in products, underlying infrastructure technologies, and new practices. Security teams can and should vote with their budgets against compromise solutions that are good enough but not sustainable or scalable to the standard of community security.