New Cybersecurity Push, Old Problem
IT’S WELL KNOWN that the government can only go so far to secure the nation’s critical infrastructure, because private sector owner-operators control roughly 85 percent of it nationwide. In the case of IT infrastructure, that figure is even higher.
The White House’s push for a new, more robust approach to cybersecurity hinges on whether both sides can finally establish a framework for broad-based, trusted information sharing that will allow effective, systemwide risk analysis and management. That has proven a particularly elusive goal for the IT sector and its federal partners, although they were striving to achieve it even before 9-11.
The private sector doubts that its data will remain secure once provided to the government. John Lewis, an IT expert at the Center for Strategic and International Studies (CSIS), says that this situation presents an “unbounded risk” for companies.
Lewis and other observers point to major government data breaches during 2006 and 2007 as a collective breaking point for private-sector confidence in the federal government’s ability to protect data, whether its own or the private sector’s. (It’s fair to wonder why this is a bigger threat than the fact that the private sector can’t secure its own data against similar hack attacks.)
Perhaps more to the point is the fear that one government agency will share data with another or leak it to the press. “The [companies] with the information don’t know where it will go. It could end up at the FBI, it could end up in The New York Times,” Lewis says. “And this is a reasonable concern on the companies’ part.”
While details of the Obama administration’s cybersecurity plan have yet to be spelled out, in its 60-day “clean slate” review of U.S. cybersecurity policy, the White House looked to Britain, where stakeholders have found a potential fix for the private sector’s data security concerns. There, the independent Centre for the Protection of National Infrastructure collects and anonymizes shared private-sector IT data for risk analysis.
In 1998 President Clinton defined critical infrastructure sectors and advised establishment of sector-based Information Sharing and Analysis Centers (ISACs) as hubs through which industry and government could share data, among them the IT-ISAC. But lacking still, Lewis says, is a formal set of rules for the government’s handling of data received from the private sector. While the ISAC Council, a governance body for 13 separate sector ISACs, has developed a framework of common terms and role definitions for ISACs, the federal government has yet to define what IT data it wants from the private sector, and what it plans to do with it, says John Bumgarner, CISSP, a former information security specialist in the U.S. intelligence community, and now chief scientist of U.S. Cyber Consequences Unit, an independent research organization.
If the federal government wants to begin effective systemic risk analysis and management, Bumgarner says, it must obtain reports from the private sector about breaches, their nature, their suspected sources, and their effects. The government should then take that information and produce useful recommendations for private-sector operators to address vulnerabilities, he says.
Obtaining those reports would require clear definitions of what constitute reportable breaches. It would also require that there be incentives for reporting, which Bumgarner says could take the form of a “carrot or stick.”
Effective tactical information sharing among those in the government and the IT sector does occur, facilitated by both the IT-ISAC and the federal government’s U.S. Computer Emergency Readiness Team (U.S.-CERT). Bumgarner says U.S.-CERT serves as an around-the-clock clearinghouse that exchanges information with the private sector on threat, vulnerability, and patch information.
Speaking at CSIS soon after the release of the White House review, author Melissa Hathaway pointed to the Conficker computer worm, which first came to light last November, as a case in which the private sector did exemplary work sharing information among companies, later with help from the federal government.
Bill Nelson, President and CEO of the Financial Services ISAC and vice chairman of the ISAC Council, credits the ITISAC with serving as a hub for information sharing during the response to the Conficker outbreak.