Cybersecurity is a technical challenge. But it also usually has a legal and regulatory aspect as well. Obviously, there is the legal framework under which organizations operate and under which cybercrimes are defined and, sometimes, prosecuted. Then, of course there are the complex interactions between government security initiatives and those of the private sector.
In February, an announcement by the White House of President Obama's Executive Order (EO), contributed to the second category – opening the door to threat intelligence sharing between private and public entities. A step in the right direction, experts seem to agree, but only a step in a realm that remains confusing to private sector players. Fundamentally, it seems, the threat actors have free rein while the “good guys” in business and government remain relatively uncoordinated in their responses.
According to Jerry Irvine, CIO of Prescient Solutions, a Chicago-based IT outsourcer and advisory firm, and a member of the National Cyber Security Task Force, the EO is extremely important for companies and industries in that it provides them the ability to share cybersecurity information with the government and, in some instances, others within their industry. “Cybercriminals share information – including personally identifiable information (PII) and confidential information – openly, in order to define specifics on how to hack and steal data [which] has allowed them to overcome common security measures and stay ahead of cybersecurity professionals,” says Irvine. On the other hand, legitimate organizations have been limited as to what they could share, constraining their ability to avoid or correct security instances, or to warn others of their potential. As a result, multiple companies and entire industries have been victims of the same attacks.
Our experts: Risk coverage
Michael Brown, VP/GM of RSA Global Public Sector at RSA, a division of EMC
Larry Clinton, president and CEO, Internet Security Alliance (ISA)
Summer Fowler, deputy technical director, Carnegie Mellon University
Wolfgang Goerlich, cybersecurity strategist, CBI
Jerry Irvine, CIO, Prescient Solutions; member, National Cyber Security Task Force
Among others sharing an enthusiasm for the EO is Larry Clinton, president and chief executive officer of the Internet Security Alliance (ISA), an Arlington, Va.-based forum and advocate for information sharing on information security. “This, frankly, visionary policy statement was a 180-degree reversal from the president's previous approach, which was to attempt to address the cybersecurity problems through a traditional regulatory model, with federal mandates for the private systems that run the internet,” he says.
Clinton says the administration initially floated that approach but then came to the conclusion that it wouldn't work because technology and attack methods change too quickly for regulators to keep up. “It would have been anti-security as it would have stifled innovation and diverted scarce security resources to unhelpful compliance regimes,” he says.
Instead, Clinton describes the EO as a “social contract model,” which asks industry to work with government, aiming for a consensus as to what standards and practices are most likely to improve enterprise cybersecurity – with voluntary adoption based on each organization's unique risk assessment.
Still, Irvine says industry is anxiously awaiting the passage of a cybersecurity information sharing act. “The major concern with cyberinformation sharing is in regard to the potential liability companies would face if PII or confidential information was accidently included,” he explains. Without the inclusion of liability limitations, companies will be reluctant to openly share information, according to Irvine.
In particular, one of the biggest concerns has been anti-trust liability, says Michael Brown, vice president and general manager of RSA Global Public Sector at the RSA division of EMC, based in Bedford, Mass., and a retired rear admiral. He says that specific concern was somewhat reduced last year when the DOJ and other federal entities made a series of rulings about information sharing that “set boundaries so as not to cross those anti-trust- lines.” Still, he notes, there is room for much more clarity.
A key feature of the president's recommendations are the establishment of new information sharing and analysis organizations (ISAOs) to serve as focal points for cybersecurity information sharing and collaboration. They would operate within the private sector and between the private sector and government under the control and oversight of the Department of Homeland Security, Irvine explains.