Can private industry effectively manage itself in regards to maintaining cybersecurity, or is The White House Executive Order on Cybersecurity enough?
Truly effective cybersecurity is dependent on the partnership between private industry and the government. Although their goals may at times diverge, cooperation between the two segments is critical to the protection of private and public cyberinformation. Significant amounts of sensitive data exist within both realms, and it is imperative that we develop the best methods of protecting this data.
The US government reported over a 50 percent increase in reported attacks on critical infrastructure in 2012, including several long-term attacks on major banks and financial institutions. One only has to watch the news to see the rampant amount of intellectual property being stolen from corporate and government networks to realize that current techniques and technologies are not sufficient. In addition, the tension between security and privacy is growing as companies and the government take more invasive steps to slow the leaks.
Attacks on different sectors in the past have been costly, from $500,000 to several million dollars per breach. An attack on critical communications infrastructure would not only cause damage in millions of dollars with downtime to financial, healthcare, emergency response, transportation, and other networks, but it would also cost lives. Some estimates suggest that recovery from such an attack could possibly take weeks and cost billions of dollars.
The White House Executive Order on Cybersecurity (WHEOC) directs several entities, including the Department of Homeland Security, the director of National Intelligence, and the attorney general, to work together to provide processes and solutions to address future attacks. The order also seeks to increase information sharing between public and private entities regarding suspected or proven cyberattacks.
The Cyber Intelligence Sharing and Protection Act (CISPA) has recently faced strong obstacles to passing into law. The act would allow for the sharing of Internet traffic information between the US government and technology and manufacturing companies with the aim to help the US government investigate cyberthreats and ensure the security of networks against cyberattacks.
Currently the government is limited by privacy restrictions on the information it can share with other companies in a similar industry when it has knowledge of specific attacks on a specific company. These programs would seek to open up classified and known cyberthreat information to those security classified organizations supporting and supplying critical infrastructure in addition to traditional defense contractors. This may require granting more security clearances to employees in private industry. However, recent leaks from Edward Snowden, a private industry employee with a security clearance, have raised the sensitivity of privacy protection from government to a new, higher level. Methods to share data without sharing private information will be the key to future cooperation between industry and government.
The new rules and guidelines from the CISPA and the WHEOC are an attempt to increase reporting of all breaches and advanced cyberattacks, and to raise the level of participation between the government and private industry toward the detection and prevention of future catastrophic attacks. The current level of information sharing from either private industry or the government is very low. Industry does not want a public airing of this type of information because it can affect stock price or public perception. Government is also concerned about the information getting into the hands of nations that would wage cyberwarfare against us. However, without such information sharing about the frequency and nature of advanced attacks, the cyberattackers will continue to have the advantage and grow the sophistication of their methods.
How could the government increase its role in cybersecurity? One suggestion has been to provide incentive discounts to private industry for implementation of advanced cybersecurity technology or securely sharing breach information. Another suggestion has the government investing more in the development of advanced cyber detection technologies and sharing or licensing those technologies to private industry.
It is clear that only with the cooperation of industry and government and sharing of advanced attack methods will we be able to defend ourselves effectively. It is imperative that future sharing techniques be created that would consolidate the various agency regulations to enable the sharing of critical attack information with both industry and government without revealing private or sensitive data. Future technologies must include the ability to track and identify cyberattacks without compromising the civil liberties and privacy expectations that are so valued in the US. At the same time, increased security through cooperation between government and industry will ensure the protection of our private and valuable IP data.
Jim Deerman has over 30 years of extensive experience in network architecture, design, and implementation. As director of cybersecurity engineering for ISC8, Jim is involved in the areas of design, implementation and operations for network/system security, enterprise data networks, and VoIP networks.