Despite a Congress that “is not passing many bills these days,” the White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities, Ari Schwartz, senior director for cybersecurity, National Security Council, at the White House, told attendees SC Congress New York Tuesday.
Delivering the keynote address, “Knocking down the barriers to information sharing,” Schwartz noted that while motivations and the attackers differ — from criminal to nation-state operatives — they “all use the same tools.” And, organizations mostly don't care why or who as much as what and how.
“They just want them to stop,” he said. “They want to know what kind of practices they should put in place in terms of policy.”
By sharing information, companies and government agencies can more readily identify a threat or an attack and mitigate or thwart it long before significant damage is done. But coaxing private and public sector organizations to share information amongst themselves and with each other has proven difficult.
While private to private information-sharing is nothing new, Schwartz said, companies may still be hesitant to share information with competitors. Likewise, private companies have not wholly trusted government to protect information it receives from them, protect it and use it properly. A similar wariness has stymied the flow of threat information among some governments.
But improving government sharing of information with the private sector “is one we could make most progress on without new legislation,” said Schwartz. “We just needed to get more people cleared, get more information declassified and provide more unclassified information.”
And not look to legislators to clear the way. Congress's inability to act quickly, has slowed progress and frustrated the administration as well as security advocates. At one point, 42 bills languished in nine different committees on Capitol Hill. “It was unlikely any would pass,” said Schwartz. And, to date, there has still been no meaningful legislative action taken.
But the White House has moved forward, advancing the notion of building a “framework to promote cyber security in a voluntary way,” said Schwartz, first through an Executive Order signed in February 2013 and which came to fruition when the National Institute of Standards and Technology (NIST) has released a cyber security framework a year later in February 2014.
In another Executive Order signed by President Obama last Friday to improve payment security also expands the sharing of information, clearing the way for federal investigators to regularly report evidence of stolen information to those companies whose customers have been impacted.
Schwartz would like to see sharing get to the point that when information on a threat comes in, it's shared “within an hour.”
And while cybersecurity advocates have been able to get around Congress, to lay the groundwork for a better cybersecurity policy, the need for definitive legislation looms large.
“We've tried to remove the barriers,” Schwartz said.
But creating and implementing voluntary guidelines that will encourage information sharing and stronger security is a long way off, though doable.
“We'd like stronger security through market driven mechanisms,” said Schwartz. “For example, if you want cyber security insurance, you're going to have to prove you've done something.” That way, “we can streamline without using the framework as a hammer,” he said.