Although everyone agrees that information sharing is essential to effective cybersecurity, issues of trust between the private sector and government and among governments make this a challenge that can only be addressed by Congress.
Retired General and Former NSA Director Keith Alexander said recently that without more effective sharing of threat information the nation’s cybersecurity is in jeopardy.
“We’re not ready yet” to effectively defend government and industry networks from the threats posed by organized criminals, terrorists and foreign nations, Alexander said last month at the Microsoft Federal Executive Forum in Washington. The nation needs a legal framework to let government and companies work together more closely and lay out clear roles and responsibilities for each side.
Unfortunately, legislation that effectively improves cybersecurity while protecting privacy and civil liberties has yet to emerge in Congress. A new version of the Cybersecurity Information Sharing Act (CISA) went through markup Feb. 12 in the Senate Select Intelligence Committee, and although the final text of the bill is not available, privacy advocates say the CISA discussion draft contains overly broad powers allowing companies to share communications with government, putting users at risk of corporate and government spying.
Improved information sharing has been recognized as a critical need in cybersecurity for years, and some progress has been made. Sector-specific Information Sharing and Analysis Centers (ISACs) have been set up to facilitate cooperation between companies and with government. But our cybersecurity posture is still found wanting and inadequate sharing is a major problem. In February President Obama signed an executive order that would improve information sharing for securing critical infrastructure.
Why is this still such an issue, when everyone agrees it needs to be done? The problem is one of trust.
Alexander, who also headed the U.S. Cyber Command, said that the government has a responsibility to protect privately-owned infrastructure and to respond to incidents such as the recent attacks on Sony networks, attributed to North Korea. The private sector can’t legally respond to attacks, Alexander said. “We don’t want industry to do that.” That puts the responsibility for a response squarely on government’s shoulders. But the government can’t do that without information from private sector networks.
The private sector does not trust government, however. Historically, industry has complained that the government’s idea of sharing is to take information without giving anything in return. Recent revelations about NSA spying and data gathering have made the situation even more difficult. In the wake of the Edward Snowden leaks, consumers, corporations and foreign governments are leery of any company that is seen as cooperating too closely with the U.S. government.
“Snowden has put us in a bad place with foreign customers,” Scott Charney, corporate VP of Microsoft’s Trustworthy Computing Group, said at the Executive Forum. Foreign customers are more reluctant now to use U.S. technology and services because they don’t know that they can trust them. And efforts by the U.S. government to gain access to Microsoft data on Irish servers raise the specter of foreign governments demanding access to data on U.S. servers. “Reciprocity is hell in foreign affairs,” Charney said.
Companies also worry that information shared with government could be subject to the Freedom of Information Act, resulting in the disclosure of proprietary, sensitive or embarrassing information that could put them at a business disadvantage or expose them to legal liability. On the other hand, consumer advocates worry that if companies get liability protection and exemption from FOIA for shared information, they could unfairly shield themselves from legal action by dumping incriminating data on the government.
This knot of suspicion, distrust and liability can only be cut by legislation that spells out the rights, roles and responsibilities of all parties. Alexander was generally approving of the legislative proposal by President Obama, saying that it addresses most of the critical issues. But Alexander’s reputation as a protector of U.S. citizens’ privacy is not particularly high.
Given Congress’s past inability to act on cybersecurity, it does not seem likely that they will have the resolve to tackle this complex issue soon, balancing the competing interests of privacy and security, protecting both business and public safety.
There still is much organizations can do to improve they security. But until Congress decides to act responsibly, the intelligence needed to provide a holistic defense is likely to be missing, and U.S. cybersecurity is likely to remain fragmented and reactive, responding to security breaches rather than anticipating threats.