Thoughts On Information Sharing As Congress Introduces Cybersecurity Bill

February 23, 2011

Last week, after much anticipation and delay, the bipartisan Senate cybersecurity legislation, S. 2105 – Cybersecurity Act of 2012, was unveiled.

Though it is laudable that Congress has begun in earnest to attend to the critical cybersecurity threats that face America, there has been little debate about the how information sharing and defense of critical infrastructure will occur in practical terms when, and if, cybersecurity legislation is finally adopted.

While information sharing provisions of the existing bills envision public-private information exchanges, or in the case of H.R. 3523, direct information sharing between U.S. intelligence agencies and the private sector, real-time information sharing appears to be much more difficult to accomplish in practice than is being discussed on the Hill.

For instance, consider the ongoing Defense Industrial Base Cyber Pilot Program (“DIB Pilot”), which began in May 2011 and uses NSA data to protect the computer networks of defense contractors.  According to a Defense Department study, the program obtained by the Washington Post, the DIB Pilot, the threat signatures provided by the NSA were of little help in protecting DIB Pilot networks from cyber attacks beyond what DIB Pilot participants’ existing cyber defense could deal with.

Conclusions may differ – the 17 DIB Pilot participants are defense contractors that already deploy sophisticated cybersecurity defenses – thus similar information provided to less sophisticated entities may provide more impressive results in mitigating cyber attacks.  Expansion of the DIB Pilot program would therefore be  welcomed to determine how information sharing may facilitate greater cyber resiliency in less protected sectors.

Then there is the matter of how information is shared and what information is shared.  For instance, the Post noted that classified data was shared with DIB Pilot participants via hand-delivered paper documents “every two days or so.”  This method of data sharing is antiquated in our networked world.  Without real-time data sharing, information may be obsolete by the time it’s received, and can hardly be put to use to combat an imminent attack.

Further, the results of the DIB Pilot study prompt one to ask whether our intelligence agencies are truly capable, or interested, in sharing their highly classified data with private sector entities.  As chronicled in the 9/11 Commission Report, America’s law enforcement and intelligence gathering agencies are expert in gathering and analyzing data and intelligence, but sharing that data across agencies and through levels of bureaucracy proved difficult.

Now, we are asking our most secretive intelligence gathering organizations to trust other agencies with the data they have collected, and further trust private sector organizations with that data as well.

Sharing with private sector operators of critical infrastructure would necessarily require an even greater cultural leap.

Last week, House Intelligence Committee Chairman Mike Rogers, R-Mich., said that U.S. intelligence agencies have cyber threat detection and intelligence capabilities far advanced than private sector entities.  However, at present, the DIB Pilot results at this point don’t bear this out.

While there is widespread agreement that there is no silver bullet in cybersecurity policymaking, there is consensus that information sharing is the key element in helping private entities protect their networks while giving government cybersecurity officials greater insight into the threats on both public and private networks.  Thus, to get it right, Members of Congress must be certain that the information sharing they envision in legislation will actually streamline information sharing in real-time, rather than merely paper over the bureaucratic challenges of intelligence sharing.

Related Articles

CCIA Whitepaper Identifies National Security Risks Posed By House Bills Targeting U.S. Tech Companies

Sep 13, 2021

Washington — The Computer & Communications Industry Association has released a white paper on the national security implications of several House-passed bills aimed at a handful of U.S. tech companies as they compete with foreign companies. These bills were introduced in June 2021 and were marked up without legislative hearings or input from stakeholders, particularly…

New EU Cybersecurity Rules Should Promote Security Mitigation, Avoid Compliance Red Tape

Dec 16, 2020

Brussels, BELGIUM — The European Commission published today a legislative proposal to update the 2016 Network and Information Security Directive.  The proposal aims to reduce regulatory inconsistencies across the EU’s internal market and it encourages security information sharing to help companies effectively address future cybersecurity risks. But the proposal also suggests that cloud computing providers,…

CCIA Offers European Commission Comments On Data Transfer Method

Dec 11, 2020

CCIA submitted comments to the European Commission on the draft new Standard Contractual Clauses (‘SCC’) to transfer data outside of the EU. CCIA believes this transfer tool will pave the way towards greater legal certainty for most data transfers outside the European Union. However, the tool could still be made more practical for companies to…