As a person who works with both the federal government and private industry, I’m lucky to be able to see the recent focus on federal cybersecurity not only from the perspective of lawmakers and agencies, but also from the outside looking in. Unfortunately, the view from both perspectives isn’t very pretty. Throughout the lifecycle of federally-mandated cybersecurity, there is inconsistency, overlap, and contradiction across the spectrum, from legislation, to implementation, to awareness and communication.

The federal government clearly wants to lead by example in cybersecurity; but a leader without direction, focus or communication skills is no leader at all.”

Let’s start with perhaps the most egregious aspect of cybersecurity dysfunction: the legislative process. Last week, one of my fellow speakers at the University of North Carolina-Charlotte 12th Annual Cybersecurity Summit, Elizabeth Johnson, documented some of the more than 40 bills currently in Congress that address cybersecurity. These bills run the gamut of both houses and parties, and several are bipartisan (in name, at least). They also have massive variances in scope, from bills that focus on “critical infrastructure” areas of private industry (defined as some intersection of verticals including financial markets, energy production and distribution, the food industry, healthcare, and others) across both the public and private sector, to those that are more encompassing (e.g. “all public companies”).

While it’s good to see so many men and women in the House and Senate interested in cybersecurity, it’s unfortunately clear that many of these bills – if not all of them – were authored by people who’ve never really been in the proverbial trenches of security. Cybersecurity is a bell that rings very strongly with both the federal government and private industry at the moment, and we should all view that as a positive thing.

Unfortunately, it has become ensnared in a highly politicized legislative quagmire; and to be clear, I don’t just mean “Democrats versus Republicans”. Individual committees – from Commerce, to Defense, to Appropriations – are exerting what they believe to be their authority over cybersecurity legislation in order to become the de facto group controlling the future of cybersecurity. The result is that, while there are some great recommendations in many of these bills, the good ideas are spread out among disparate bills, sponsored by different people with different agendas. If the past two years of legislative efforts are any benchmark, we’re likely to continue to see a flurry of cybersecurity bills entering committees, but no actual, rational laws passed.

Hand-in-hand with cybersecurity legislation walks one or more vehicles to help deliver and support that legislation in the private sector. Today, a number of government entities – DHS, US Cybercom, the State Department, the Department of Justice, the FCC and others – have varied programs for providing cybersecurity-related information to, and working with, the private sector.

Unfortunately, these efforts are not coordinated; ask a dozen CISOs, “What free tools and information does the federal government provide you to keep your networks more secure?”, and you’re likely to get a smattering of responses that might include US-CERT or some other long-established programs, but you’re unlikely to hear about much else.

Ask the follow-up question, “Which government agency is responsible for working with private industry to provide cybersecurity awareness?”, and you’ll either get a blank stare, or a group of disparate federal agency acronyms rattled off in your direction – but no single source of public-private partnership.

Much like in Congress, individual agencies are trying to exert themselves as “the cybersecurity agency” by hording knowledge and refusing to accede any authority to other agencies. The federal government spends more than its fair share on cybersecurity initiatives, and the feds learn a tremendous amount from those programs that can help private industry make their systems and data more secure. But if there are no clear mechanisms in place to help conduct knowledge transfer between public and private industry, these programs are greatly wasted on being solely in the province of the federal government.

So what should we do about this cybersecurity dysfunction? From the legislative side, Congress needs to get its act together and come together on true bipartisan, bicameral cybersecurity legislation that has the buy-in of multiple committees, and is backed by testimony and recommendations from hands-on security practitioners in the private sector: not just think-tanks, federal system integrators, and the ubiquitous “policy advisors” from inside the D.C. beltway. And when it comes to content, what should that legislation look like?

According to the private sector CISOs that I’ve recently spoken to, it needs to be outcomes-based, not focusing on specific security controls (e.g., “passwords must be at least 8 characters in length”, or “all employees and contractors must have background checks”) but rather focused on functions like “reduce the risks to critical assets” and “prevent misuse of systems.”

From the perspective of public-private partnership and security awareness, Department of Defense and civilian agencies need to start playing nice with their own sub-agencies as well as with each other, share their cybersecurity research and tools, and identify which agency is going to be the official conduit of security awareness between the public and private sector.

This doesn’t mean that other agencies won’t have vital contributions to the task of cybersecurity – instead, it means that their research, ideas and knowledge will have a unified conduit to the public. As importantly, this needs to be a bi-directional channel; often, federal agencies operate inside of “bubbles” that have no understanding of the business drivers of private industry. Without a feedback loop to ensure that the information being provided by the federal government is useful, a unified cybersecurity clearinghouse will be a wasted effort.

The federal government clearly wants to lead by example in cybersecurity; but a leader without direction, focus or communication skills is no leader at all.

John Linkous is vice president, chief security and compliance officer eIQnetworks, Inc.