Why cyber defense tech is not working
Connecting state and local government leaders
The nation's cybersecurity is still hampered by inadequate cooperation between the public and private sectors; legislation could help solve that problem.
The nation’s cybersecurity is hampered by inadequate cooperation and information sharing between the public and private sectors, government officials say, and some regulatory framework is needed to improve the situation.
It isn’t that the technology and tools are not available to better protect government information systems and our critical infrastructure.
“It’s not a technical issue,” said Mark Weatherford, deputy undersecretary for cybersecurity at the Homeland Security Department. “The governance of security is equally as important as the technology.”
But existing policy and laws do not adequately address the need to quickly share more information between government and industry. Today, legal counsel is the first point of contact in dealing with a cybersecurity incident, and the default decision usually is to keep information confidential.
“There is a fair degree of litigation risk,” said Eric Rosenbach, the Defense Department’s deputy assistant secretary for cyber policy. “That alone will stop you” from releasing information. “There is a need for some kind of legislation or executive order.”
Weatherford and Rosenbach made their comments at the recent Security Innovation Network event in Washington, D.C. As the name implies, the event focuses on innovative cybersecurity technology, but in a discussion on information sharing it was not technology that was identified as the roadblock. Rather it was the lack of standards for minimum security in critical infrastructure and the lack of clear legal protection for companies that choose to share information about threats and breaches to their systems.
The situation is not new. Bills addressing these problems have been introduced in the last several congresses, but disagreement over the appropriate role of government in protecting the civil infrastructure has stalled action on them.
DOD has launched a public relations effort to highlight the need for action, starting with a speech by Defense Secretary and former CIA director Leon Panetta several weeks ago in which he revealed some details of a cyber attack against the Saudi Arabian oil company Aramco that destroyed information on a large number of computers.
“We in the Defense Department are quite concerned about that,” Rosenbach said. To defend U.S. assets against such attacks, DOD needs visibility into Internet activity on at least a national level, if not a global level, he said. “That’s one of the main reasons we are concerned about information sharing.”
The White House is preparing an executive order that President Obama is expected to sign that would provide some of the framework in the absence of congressional action. It reportedly would focus on voluntary standards for private-sector operators of critical systems, with incentives rather than requirements for better cooperation.
This is the current strategy followed by DHS, which is the lead agency in protection of civilian government and privately owned systems. Weatherford said DHS has reached out to companies in the wake of the Aramco attacks. “We’re just trying to raise the bar and make sure operators are prepared, or at least thinking about it.”
Critics of government regulation argue that regulation does not ensure security. And they are correct. On the other hand, the argument that if we leave the private sector alone to pursue its own interests it will naturally protect itself obviously is not working. Some baselines for security as well as requirements and protections for information sharing — both ways — should be welcome both by government defenders and by companies. The current uncertainty and lack of clarity helps no one but the United States’ attackers.