Last week, after much anticipation and delay, the bipartisan
Senate cybersecurity legislation, S.
2105 – Cybersecurity Act of 2012, was unveiled.
Though it is laudable that Congress has begun in earnest to
attend to the critical cybersecurity threats that face America, there has been
little debate about the how information sharing and defense of critical
infrastructure will occur in practical terms when, and if, cybersecurity
legislation is finally adopted.
While information sharing provisions of the existing bills
envision public-private information exchanges, or in the case of H.R. 3523,
direct information sharing between U.S. intelligence agencies and the private
sector, real-time information sharing appears to be much more difficult to
accomplish in practice than is being discussed on the Hill.
For instance, consider the ongoing Defense Industrial Base
Cyber Pilot Program (“DIB Pilot”), which began in May 2011 and uses NSA data to
protect the computer networks of defense contractors. According to a Defense Department study, the program
obtained by the Washington Post, the DIB Pilot, the
threat signatures provided by the NSA were of little help in protecting DIB
Pilot networks from cyber attacks beyond what DIB Pilot participants’ existing
cyber defense could deal with.
Conclusions may differ – the 17 DIB Pilot participants are
defense contractors that already deploy sophisticated cybersecurity defenses –
thus similar information provided to less sophisticated entities may provide
more impressive results in mitigating cyber attacks. Expansion of the DIB Pilot program would therefore be welcomed to determine how information
sharing may facilitate greater cyber resiliency in less protected sectors.
Then there is the matter of how information is shared and
what information is shared. For
instance, the Post noted that
classified data was shared with DIB Pilot participants via hand-delivered paper
documents “every two days or so.”
This method of data sharing is antiquated in our networked world. Without real-time data sharing,
information may be obsolete by the time it’s received, and can hardly be put to
use to combat an imminent attack.
Further, the results of the DIB Pilot study prompt one to
ask whether our intelligence agencies are truly capable, or interested, in
sharing their highly classified data with private sector entities. As chronicled in the 9/11 Commission Report, America’s law
enforcement and intelligence gathering agencies are expert in gathering and
analyzing data and intelligence, but sharing that data across agencies and
through levels of bureaucracy proved difficult.
Now, we are asking our most secretive intelligence gathering
organizations to trust other agencies with the data they have collected, and
further trust private sector organizations with that data as well.
Sharing with private sector operators of critical
infrastructure would necessarily require an even greater cultural leap.
Last week, House Intelligence Committee Chairman Mike Rogers,
R-Mich., said that U.S. intelligence agencies have cyber threat detection and
intelligence capabilities far advanced than private sector entities. However, at present, the DIB Pilot
results at this point don’t bear this out.
While there is widespread agreement that there is no silver
bullet in cybersecurity policymaking, there is consensus that information
sharing is the key element in helping private entities protect their networks
while giving government cybersecurity officials greater insight into the
threats on both public and private networks. Thus, to get it right, Members of Congress must be certain
that the information sharing they envision in legislation will actually
streamline information sharing in real-time, rather than merely paper over the
bureaucratic challenges of intelligence sharing.
