Cybersecurity is a technical challenge. But it also usually has a legal and regulatory aspect as well. Obviously, there is the legal framework under which organizations operate and under which cybercrimes are defined and, sometimes, prosecuted. Then, of course there are the complex interactions between government security initiatives and those of the private sector.
In February, an announcement by the White House of President Obama's Executive Order (EO), contributed to the second category – opening the door to threat intelligence sharing between private and public entities. A step in the right direction, experts seem to agree, but only a step in a realm that remains confusing to private sector players. Fundamentally, it seems, the threat actors have free rein while the “good guys” in business and government remain relatively uncoordinated in their responses.
According to Jerry Irvine, CIO of Prescient Solutions, a Chicago-based IT outsourcer and advisory firm, and a member of the National Cyber Security Task Force, the EO is extremely important for companies and industries in that it provides them the ability to share cybersecurity information with the government and, in some instances, others within their industry. “Cybercriminals share information – including personally identifiable information (PII) and confidential information – openly, in order to define specifics on how to hack and steal data [which] has allowed them to overcome common security measures and stay ahead of cybersecurity professionals,” says Irvine. On the other hand, legitimate organizations have been limited as to what they could share, constraining their ability to avoid or correct security instances, or to warn others of their potential. As a result, multiple companies and entire industries have been victims of the same attacks.
Our experts: Risk coverage
Michael Brown, VP/GM of RSA Global Public Sector at RSA, a division of EMC
Larry Clinton, president and CEO, Internet Security Alliance (ISA)
Summer Fowler, deputy technical director, Carnegie Mellon University
Wolfgang Goerlich, cybersecurity strategist, CBI
Jerry Irvine, CIO, Prescient Solutions; member, National Cyber Security Task Force
Among others sharing an enthusiasm for the EO is Larry Clinton, president and chief executive officer of the Internet Security Alliance (ISA), an Arlington, Va.-based forum and advocate for information sharing on information security. “This, frankly, visionary policy statement was a 180-degree reversal from the president's previous approach, which was to attempt to address the cybersecurity problems through a traditional regulatory model, with federal mandates for the private systems that run the internet,” he says.
Clinton says the administration initially floated that approach but then came to the conclusion that it wouldn't work because technology and attack methods change too quickly for regulators to keep up. “It would have been anti-security as it would have stifled innovation and diverted scarce security resources to unhelpful compliance regimes,” he says.
Instead, Clinton describes the EO as a “social contract model,” which asks industry to work with government, aiming for a consensus as to what standards and practices are most likely to improve enterprise cybersecurity – with voluntary adoption based on each organization's unique risk assessment.
Still, Irvine says industry is anxiously awaiting the passage of a cybersecurity information sharing act. “The major concern with cyberinformation sharing is in regard to the potential liability companies would face if PII or confidential information was accidently included,” he explains. Without the inclusion of liability limitations, companies will be reluctant to openly share information, according to Irvine.
In particular, one of the biggest concerns has been anti-trust liability, says Michael Brown, vice president and general manager of RSA Global Public Sector at the RSA division of EMC, based in Bedford, Mass., and a retired rear admiral. He says that specific concern was somewhat reduced last year when the DOJ and other federal entities made a series of rulings about information sharing that “set boundaries so as not to cross those anti-trust- lines.” Still, he notes, there is room for much more clarity.
A key feature of the president's recommendations are the establishment of new information sharing and analysis organizations (ISAOs) to serve as focal points for cybersecurity information sharing and collaboration. They would operate within the private sector and between the private sector and government under the control and oversight of the Department of Homeland Security, Irvine explains.
Of course, information sharing isn't an entirely new concept. J Wolfgang Goerlich, cybersecurity strategist with CBI, a Troy, Mich.-based firm that manages IT security risk to help ensure data is secure, compliant and available, explains that InfraGard, a partnership between the FBI and organizations deemed to be critical infrastructure (such as those in energy, finance and transportation), has been sharing criminal information between the public-private sectors since 1996. Similarly, these organizations have been handicapped over the years due to limitations on their information-sharing abilities and those same concerns for potential liability. Information Sharing and Analysis Centers (ISACs) have been sharing sector-specific information on attacks and threats since 1999. Eighteen different ISACs currently serve sectors ranging from health care to financial services. “An open question is how the proposed ISAOs will complement and coordinate with the existing ISACs,” notes Goerlich.
Yet another initiative, a NIST Cybersecurity Framework, was previously launched after President Obama's 2013 executive order. It provides guidance on the controls and practices that organizations can implement to improve their security posture. “The functions of the framework include ‘Identify' and ‘Detect,' which will both be bolstered by better information sharing of threat indicators and criminal tactics proposed by this year's executive order,” says Goerlich.
Yet, another effort at information sharing among the public and private sectors is the DHS National Cybersecurity and Communications Integration Center (NCCIC). The CERT division of Carnegie Mellon University Software Engineering Institute, participates in that effort and Summer Fowler (left), deputy technical director of cybersecurity solutions, sees great value in further information sharing. However, she says there is still much to be done in terms of establishing a “trust model” between government and the private sector. Fowler says she is concerned about the tendency for public-private initiatives to drift eventually toward spawning more regulations, which may not actually enhance security. Moreover, Fowler says initiatives tend to take a broad-brush approach that rarely gives adequate consideration to the millions of small businesses in the country. They also face cybersecurity challenges but have little or no staff focused on the problem and little capacity to respond to regulatory programs, an issue that even the U.S Chamber of Commerce has expressed concern over.
As a consequence, Fowler says her organization is now working on some initiatives specifically targeting small business.
And what of the prospects for truly comprehensive legislation emerging from a famously gridlocked legislative branch? Irvine says Congress has been attempting to pass legislation on cybersecurity, such as Cyber Information Sharing Act (CISA) and the Protecting Cyber Networks Act (PCNA) – though both have drawn fire from privacy advocates who say they don't protect the interests of consumers.
Congressman Jim Langevin (D-RI), co-chair of the Congressional Cybersecurity Caucus, agrees that passage of comprehensive cybersecurity legislation is long overdue, but insists there has already been some progress on strengthening the nation's cyberdefenses. “I have seen an increased awareness on cyber issues, and I believe both the public and private sectors are starting to realize how important cybersecurity is to our economic and national security,” he says. Langevin also credits President Obama with raising the profile of cybersecurity and says the executive actions he has taken “moves us in the right direction.”
Still, says Irvine, since it was signed in February “there have not been any new security technologies or policies resulting from the EO.” And that's not going to help with containing the rapidly evolving threats, he says.