Public-Private Partnerships for Election Systems Cybersecurity Research Paper

Introduction

Public-private partnerships (PPPs) in the US have a long history of success. The first PPPs in the US were the power purchase agreements signed in the 1980s (Mirchandani & Jacobo, 2021). According to World Bank (2020a), a PPP can be defined as “a long-term contract between a private party and a government entity, for providing a public asset or service, in which the private party bears significant risk and management responsibility, and remuneration is linked to performance” (para. 1). PPPs should be distinguished from public contracts, such as concessions. In public contracts, the private sector provides the service directly to the public and bears all the associated end-user risks (World Bank, 2020a). In PPPs, unlike in public contracts, government agencies take full responsibility for the end product before the general public (World Bank, 2020a). The private party is responsible only for the portion of work it has completed for the public.

PPPs can be guided either by special laws or by general laws. According to World Bank (2021), there are several reasons a government may decide to enact a PPP law. They include giving priority to the process of procuring and developing PPP projects and establishing a clear institutional framework for managing PPPs (World Bank, 2021). The government can create a PPP law based on its judgment or utilize a set of recommendations provided by the World Bank (2021). In the US, there is no federal law that instructs the states on how to address PPPs (Mirchandani & Jacobo, 2021). Currently, almost every state has enacted a law that permits PPPs in social or transportation projects. However, some states still rely on common law to guide PPPs. The most common PPP projects in the US are the development of roads and related infrastructure, as well as building prisons, university housing, and school (Mirchandani & Jacobo, 2021). The changes in the election protocols due to the COVID-19 pandemic demonstrated that improvement is needed in government cybersecurity. The present paper aims at discussing PPPs in the sphere of election security.

Roles of the Private Actors in Election Cybersecurity

The use of PPP for cybersecurity has become imperative to address cybersecurity issues and prevent attacks that can lead to leakage or disruption of sensitive and valuable data. The private sector controls many critical systems that need to be protected and usually has more resources than the government (Germano, 2014). Private actors also have valuable expertise that can help to understand the peculiarities of malicious users and software critical to protecting government assets (Germano, 2014). At the same time, the government holds very specific information that can be used to fend off cyberattacks and mitigate their consequences. Moreover, government agencies, such as the National Security Agency (NSA), Defense Advanced Research Projects Agency (DARPA), Department of Defense (DoD), and Department of Homeland Security (DHS), have valuable knowledge about cybersecurity; however, since the agencies are responsible for very specific focus and do not address cybersecurity at large (Potter, 2019). PPPs can help to collaborate and line up against cybersecurity threats.

The role of the private actors in PPPs concerning election cybersecurity includes four critical aspects described below. These four roles are based on information and knowledge sharing with an emphasis on confidentiality and competitive concerns (Germano, 2014).

1. Sharing insights about peculiarities of threats. Private actors, such as cybersecurity companies, have information about details of the attacks on companies and specific knowledge about how to mitigate and prevent these attacks (Germano, 2014). This knowledge is usually a part trade secret, which is a source of competitive advantage (Potter, 2019). Sharing this information with the public parties can help them to understand how to better protect the election process without the risk of disclosing the information to other companies. However, this can be achieved only when a highly effective collaboration framework is enforced.
2. Analyzing information from the public sector. The private actors have developed a set of useful processes helpful for analyzing information about possible threats and using it to protect against cyber threats (Potter, 2019). Applying this expertise to the information gained from government agencies can help to extract valuable knowledge about the best strategies for protecting elections from attacks from malicious users. Additionally, private companies can help to stimulate coordination of all the acquired information.
3. Developing threat intelligence. The private sector developed several strategies of threat intelligence that may involve hacking into the offender’s system to understand how it works (Germano, 2014). Such an approach can help develop proactive strategies that prevent the loss, theft, or disruption of data; however, such strategies are illegal in the US (Germano, 2014). When guided by the US government, the private sector can create effective methods of threat intelligence without fear of breaking the law.
4. Conducting security assessment. Private parties can use all the gained knowledge and expertise to conduct security assessments of election networks (Erbach, 2020). Such expertise may lead to early detection of threats and vulnerabilities, which can compromise the security of elections. Mitigation of these threats and vulnerabilities is expected to improve election cybersecurity.

Benefits and Risks

The present section provides an overview of the possible benefits and risks of PPPs for both private and public parties. The risks of PPPs include:

1. Disclosure and Exposure. Without an established protocol that ensures the confidentiality of PPPs in cybersecurity, the private sector needs to tolerate the risk of disclosure of sensitive data about the vulnerabilities to third parties. Disclosure of such information may lead to negative press, regulatory scrutiny, and public relations (Germano, 2014). This risk is currently a significant barrier to the establishment of PPPs.
2. Loss of control. Private actors often prefer to retain control over the investigation of breaches to avoid unnecessary disclosure (Germano, 2014). Additionally, PPPs may mean granting absolute control over private computer systems and information within these systems. Companies need to feel secure to partner with the government effectively.
3. Increased cost. PPPs may be associated with increased costs for the government in comparison with traditional procurement projects (Rybnicek et al., 2020). Therefore, the government needs to establish control over costs and ensure that the increased use of funds is justified.
4. Limited scope. The private actors do only what they were paid to do, which implies that any work outside the signed contract will not be completed. Therefore, government agencies bear the risk of describing the incomplete scope of the partnership, which will lead to decreased effectiveness (World Bank, 2020b).

While the risks for both parties are considerable, numerous benefits of PPPs should be mentioned. Several benefits of PPPs are listed below:

1. Innovation. The introduction of private-sector technology into the public sector can spur innovation (World Bank, 2020b). As a result, the quality and effectiveness of cybersecurity of all government agencies may be improved.
2. Development of private sector capabilities. Exposure to knowledge and competencies of the public sector may help to improve the practices of private companies. Additionally, PPPs in the sphere of election cybersecurity can establish long-term relationships between the two sectors, which may mean stable money inflow from future PPPs (World Bank, 2020b).
3. Risk transfer. The government may transfer the risk of owning and managing assets that help to develop cybersecurity software and protocols to the private parties (World Bank, 2020b). As a result, the high cost of such partnerships may be offset by the decrease in risks.

Recommendations

The present section provides recommendations for private parties for companies to engage in before committing to participation in a PPP for cybersecurity.

1. Assess all the risks and benefits. Private actors need to understand all the risks and benefits of engaging in PPPs. As mentioned by Germano (2014), PPPs may be associated with significant risks of loss of control, disclosure of sensitive information, and exposure to unwanted legislative scrutiny, negative press, and public relations. Additionally, the companies may need to share strategically valuable information with a third party. Even though the third party is the government, private firms may still feel uncomfortable sharing information about the source of competitive advantage due to the lack of trust. Thus, the company needs to ensure that benefits surpass the risks to sustain a PPP contract regardless of the risks.
2. Learn the legal framework that regulates PPPs. Mirchandani and Jacobo (2021) state that regulatory frameworks differ from state to state, which implies that practices appropriate in one state may be inappropriate outside of it. Therefore, it is crucial to understand if the relationships between the private and public actors will be managed by a specific law or common law and how the law modifies the partnership between the two parties (World Bank, 2020a).
3. Assess the level of the company’s cybersecurity. Before uniting the networks with the government, the private companies need to assess their level of cybersecurity. National Institute of Standards and Technology (NIST, 2018) developed a comprehensive framework for network security. This network consists of five basic functions, including identifying, protecting, detecting, responding, and recovering (NIST, 2018). The framework includes a set of recommendations that can help to streamline the cybersecurity processes.
4. Review best practices in cybersecurity. Cybersecurity and Infrastructure Security Agency (CISA, 2019) developed a list of tips for election cybersecurity. These best practices should also be utilized by the companies attempting to partner with the public parties based on election cybersecurity. Recommendations include having a unified software and patch management system, network segmentation, log management, blocking suspicious activity, and employing effective credential management practices (CISA, 2019).

Summary

The present paper overview PPPs as a source of improving election cybersecurity. The research revealed that, in the US, states might have their own PPP laws or avoid having any specific regulations that guide PPPs. Regardless of the regulatory framework, private and public actors are exposed to significant risks. Private actors can face the risk of losing control and faces unwanted exposures and disclosures. The government may face the risk of increased cost and limited scope of the partnership. However, the risks are usually offset by the benefits of PPPs for both parties. Before engaging in a partnership with a public party, a private actor needs to ensure that it understands all the risks, benefits, and regulatory frameworks. Additionally, the company needs to assess the company’s cybersecurity practices and implement best practices applicable to cybersecurity.

References

Cybersecurity and Infrastructure Security Agency. (2019). Security Tip (ST19-002). Web.

Erbach, M. (2020). The role DHS can play in election security.FedTech. Web.

Germano, J. (2014). Cybersecurity partnerships: A new era of public-private collaboration. The Center on Law and Security. Web.

Mirchandani, D., & Jacobo, A. (2021). The public-private partnership law review: USA. The Law Reviews. Web.

National Institute of Standards and Technology. (2018). Framework for Improving Critical Infrastructure Cybersecurity. Web.

Potter, B. (2019). How public-private partnerships can support election security. Web.

Rybnicek, R., Plakolm, J., & Baumgartner, L. (2020). Risks in Public-Private Partnerships: A Systematic Literature Review of Risk Factors, Their Impact and Risk Mitigation Strategies.Public Performance & Management Review, 43(5), 1174-1208. Web.

World Bank. (2020a). What are Public-Private Partnerships? Web.

World Bank. (2020b). Government objectives: Benefits and risks of PPPs. Web.

World Bank. (2021). Public-Private Partnerships Laws / Concession Laws. Web.