Fragmented Government Efforts Stymie Cybersecurity Progress
Commercial leaders press for a presidential cyber advisory committee to spur national dialogue between industry and the government.
The private and financial sectors are pressing for better governmental answers to the costly cybersecurity challenges still plaguing the nation. They want the White House to create, as a minimum first step, an interagency or oversight group to facilitate information sharing. This small step is seen as a critical link between industry and government to organizing the fragmented cybersecurity efforts needed to quash mounting attacks.
While federal efforts abound, they are coordinated haphazardly, with gaps and no overarching governance—in spite of a preponderance of existing documents, plans, regulations and actions, according to experts.
A year has passed since the breach of Target Corporation’s information security in which hackers stole 40 million credit and debit card numbers, and yet no national coordinated clearinghouse exists for the formal sharing of information and lessons learned that might mitigate future attacks. A spate of high-profile data breaches has hit big retailers and financial institutions, but cybersecurity in the United States remains a lax patchwork of ill-defined rules and dubious regulations.
But this is not for a lack of trying, some experts say. For years, officials as high as the president of the United States designated cybersecurity as one of the most serious economic and national security challenges—even though, of the 21 top issues listed on the whitehouse.gov home page in October, cybersecurity ironically is not among them.
The nation might have gotten close to a solution with the interim National Cyber Incident Response Plan (NCIRP), drafted in 2010 and developed according to the principles outlined in the National Response Framework. “The NCIRP is designed in full alignment with these initiatives to ensure that federal cyber incident response policies facilitate the rapid national coordination needed to defend against the full spectrum of threats,” the document reads. “The NCIRP focuses on improving the human and organizational responses to cyber incidents, while parallel efforts focus on enhancing the community’s technological capabilities.”
Framers intended the NCIRP to be the federal strategic document, supplemented by playbooks of tactical and operational details, to address varying cyber incidents. It had a dual purpose: to establish the strategic framework for organizational roles, responsibilities and actions; and to set up protocols for leaders to be prepare for, respond to and coordinate recovery from a cyber incident. But its implementation fizzled. The Department of Homeland Security (DHS) established National Level Exercise 2012 (NLE 2012) in accordance with the National Exercise Program to serve as the nation’s comprehensive exercise program for planning, organizing, conducting and evaluating national-level exercises, to include incorporating the National Response Framework Cyber Incident Annex and NCIRP.
Other documents and reports exist to serve as foundations for an otherwise seemingly daunting governmental task of fortifying cyber vulnerabilities. In 2009, for example, the president released the Cyberspace Policy Review, calling for a 60-day comprehensive review of U.S. policies and structures for cybersecurity and introducing a 10-point, near-term action plan. Some of the suggestions were realized, such as the creation of a national public awareness and education plan.
October is National Cyber Security Awareness Month. However, people might not know it by looking at federal websites, some of which failed to even mention the campaign during the designated month. A sampling in mid-October showed no prominently displayed mention of the awareness strategy on websites for the Defense Department, Department of Veterans Affairs, the U.S. House of Representatives, the U.S. Senate, Bureau of Alcohol, Tobacco, Firearms and Explosives, the U.S. Capitol Police, the Centers for Disease Control and Prevention (in spite of the Ebola scare that drove people to the site for information), the CIA, the U.S. Coast Guard, the Defense Finance and Accounting Service or the Defense Intelligence Agency, to name a few.
The National Security Telecommunications Advisory Committee’s (NSTAC’s) 2011 Report to the President on Communications Resiliency called for accelerated efforts for the DHS’s National Cybersecurity and Communications Integration Center (NCCIC) mission to be fully operational by 2015. A 2009 NSTAC cybersecurity collaboration report outlines steps for the government—in partnership with industry—to create a joint, integrated, public-private cyber incident detection, mitigation and response operational capability. The agency called for increasing private sector fusion, for example, into the NCCIC. Additionally, the DHS has spent millions of dollars to host the Cyber Storm biennial exercise series—four of them so far—in an effort to provide the framework for the most extensive government-sponsored cybersecurity exercise of its kind. Little information sharing, details of gaps and vulnerabilities and best practices to shore up weaknesses have come from the exercises, experts say.
“A lot of work was put into developing cyber exercises. The whole reason we do exercises is to identify gaps,” says industry expert Bob Dix, vice president of global government affairs and public policy at Juniper Networks. “We’re supposed to develop improvement plans, a plan of action and milestones for how to address those gaps, and then we’re supposed to test them the next time around to see if we have gotten any better. We haven’t done any of that. With four exercises, we’ve spent tens of millions of taxpayer dollars on them; why don’t we have a sustained and comprehensive national educational and awareness campaign to teach people how to better protect themselves in cyberspace?”
What is lacking, say some, is a robust information-sharing plan between the private sector and government, spurring businesses and the financial industry, to include the Securities Industry and Financial Markets Association that represents big firms on Wall Street, to push for establishment of an interagency or a nonprofit oversight committee of government and industry representatives.
“This new age of cybercrime has ushered in with it a need for companies to work with various arms of the government that are involved in investigating cybercrime, protecting critical infrastructure or regulating data security practices,” Kimberly Peretti, a partner at Alston & Bird and co-chair of the law firm’s security incident management and response team, writes in the Bureau of National Affairs Incorporated’s Privacy and Security Law Report. “The cyberthreat has not abated, and … the need for established methods of direct government-to-private sector and private-sector-to-government sharing has been highlighted.”
Fear stymies some of the information sharing in the private sector—fear of sharing proprietary details or personnel data, and fear of prosecution should federal officials deem the sharing could violate antitrust laws. Legal experts often caution their clients against sharing because no clear guidelines govern information sharing.
Some of the onus to easing legal restrictions could fall on Congress, contends the Heritage Foundation. “Given that cybersecurity threats are very real and costly and that voluntary information sharing is an inexpensive and privacy-enhancing way of staving off these threats, Congress should consider ways to facilitate sharing,” foundation writers state. Lawmakers could update ambiguities in outdated communications laws, the writers add, specifically the Wiretap Act and the Stored Communications Act, written in 1986 to deal with telephone privacy protection issues, which seem to prohibit sharing of cybersecurity information. Liability protections could encourage companies to share rather than fear lawsuits if damages result from shared information. And shared information should be protected from public release under the Freedom of Information Act.
A U.S. congressional bill might address the issues. The Senate version of the Cybersecurity Information Sharing Act of 2014, approved by the Senate Intelligence Committee in July, seeks to expand information shared about cybersecurity threats and defensive mechanisms between the government and industry. Language in the legislation includes a call for increased sharing of classified and unclassified cyberthreat information, authorizing the voluntary sharing of cyberthreat information by individuals and companies with each other and the government while safeguarding personally identifying information; enacting liability protections for individuals and companies that appropriately monitor and safeguard their own networks; and limiting the government’s ability to use information it receives for cyber-related purposes, not for inappropriate investigations or regulation.
An additional blueprint exists that could aid officials in drafting rules for information sharing. The Three Mile Island nuclear accident in 1979, the worst in U.S. commercial nuclear power plant history, highlighted failures of existing organizations and governance. Yet, after-action reports netted rapid, revolutionary and sweeping changes within the nuclear industry, to include the establishment of effective nationwide information sharing and governance processes. In 2013, President Barack Obama issued an executive order to improve cybersecurity of the nation’s critical infrastructure, which also stressed improved information sharing.
Past efforts have not made it easier or more welcoming for industry to voluntarily share its own intelligence. “We need to allow for a more healthy environment and a safe haven, so to speak, to bring those communities of interest together to be able to take information sharing to the level of actionable sharing versus just sharing of potential post-event data,” says William F. Pelgrin, CEO and president of the Center for Internet Security.
While industry might clamor for better cybersecurity dialogue, businesses are hesitant to relinquish control, particularly to the government. “The Obama administration was trying, a few years back, to come out with a cybersecurity bill that actually had some teeth in it,” said Sanford “Sandy” Reback, senior technology analyst for Bloomberg Government, at a Fairfax County Chamber of Commerce cybersecurity forum for small businesses. “And it didn’t make it through Congress because most of the business sectors said, ‘We don’t want you, the government, telling us what we need to do to protect our own systems,’—in many instances, for very good reasons,” Reback continued. “They think they’re on the front lines. They understand the technology. Things are changing very quickly. The government is not in a good position to [adapt to the changes.] That’s one of the main reasons we’re in this situation where it’s a voluntary framework kind of supplemented by this patchwork quilt … of different laws.”
“We’ve done a great job on awareness,” adds expert John Gilligan, president and chief operating officer of Schafer Corp. “You can’t go a day without hearing about cyber-security issues. But we haven’t changed behavior yet. How do we change behavior in a positive way?”