Thoughts On Information Sharing As Congress Introduces Cybersecurity Bill

BY CCIA Staff
February 23, 2011

Last week, after much anticipation and delay, the bipartisan Senate cybersecurity legislation, S. 2105 – Cybersecurity Act of 2012, was unveiled.

Though it is laudable that Congress has begun in earnest to attend to the critical cybersecurity threats that face America, there has been little debate about the how information sharing and defense of critical infrastructure will occur in practical terms when, and if, cybersecurity legislation is finally adopted.

While information sharing provisions of the existing bills envision public-private information exchanges, or in the case of H.R. 3523, direct information sharing between U.S. intelligence agencies and the private sector, real-time information sharing appears to be much more difficult to accomplish in practice than is being discussed on the Hill.

For instance, consider the ongoing Defense Industrial Base Cyber Pilot Program (“DIB Pilot”), which began in May 2011 and uses NSA data to protect the computer networks of defense contractors.  According to a Defense Department study, the program obtained by the Washington Post, the DIB Pilot, the threat signatures provided by the NSA were of little help in protecting DIB Pilot networks from cyber attacks beyond what DIB Pilot participants’ existing cyber defense could deal with.

Conclusions may differ – the 17 DIB Pilot participants are defense contractors that already deploy sophisticated cybersecurity defenses – thus similar information provided to less sophisticated entities may provide more impressive results in mitigating cyber attacks.  Expansion of the DIB Pilot program would therefore be  welcomed to determine how information sharing may facilitate greater cyber resiliency in less protected sectors.

Then there is the matter of how information is shared and what information is shared.  For instance, the Post noted that classified data was shared with DIB Pilot participants via hand-delivered paper documents “every two days or so.”  This method of data sharing is antiquated in our networked world.  Without real-time data sharing, information may be obsolete by the time it’s received, and can hardly be put to use to combat an imminent attack.

Further, the results of the DIB Pilot study prompt one to ask whether our intelligence agencies are truly capable, or interested, in sharing their highly classified data with private sector entities.  As chronicled in the 9/11 Commission Report, America’s law enforcement and intelligence gathering agencies are expert in gathering and analyzing data and intelligence, but sharing that data across agencies and through levels of bureaucracy proved difficult.

Now, we are asking our most secretive intelligence gathering organizations to trust other agencies with the data they have collected, and further trust private sector organizations with that data as well.

Sharing with private sector operators of critical infrastructure would necessarily require an even greater cultural leap.

Last week, House Intelligence Committee Chairman Mike Rogers, R-Mich., said that U.S. intelligence agencies have cyber threat detection and intelligence capabilities far advanced than private sector entities.  However, at present, the DIB Pilot results at this point don’t bear this out.

While there is widespread agreement that there is no silver bullet in cybersecurity policymaking, there is consensus that information sharing is the key element in helping private entities protect their networks while giving government cybersecurity officials greater insight into the threats on both public and private networks.  Thus, to get it right, Members of Congress must be certain that the information sharing they envision in legislation will actually streamline information sharing in real-time, rather than merely paper over the bureaucratic challenges of intelligence sharing.

Related Articles

CCIA, 10 Associations, Groups Warn Senate Judiciary Leaders EARN IT Bill Would Make Internet Less Safe, Weaken Ability To Remove Illegal Content

Feb 9, 2022

Washington – The Senate Judiciary Committee is scheduled to mark up the “Eliminating Abusive and Rampant Neglect of Interactive Technologies” (EARN IT) Act on Thursday, which would weaken the law companies rely upon to address objectionable activity online, commonly referred to as Section 230, in a misdirected effort to combat child sexual abuse material (CSAM)…

Study Offers Reasons Why Government Technology and Procurement Practices Needs to Change

Nov 15, 2021

Washington — A study by market research firm Omdia released Monday explores reasons why most government departments rely on just one vendor for productivity software and why IT departments are choosing to select ease of management and end user familiarity with the tools at the expense of developing a best of breed approach that would…

CCIA Whitepaper Identifies National Security Risks Posed By House Bills Targeting U.S. Tech Companies

Sep 13, 2021

Washington — The Computer & Communications Industry Association has released a white paper on the national security implications of several House-passed bills aimed at a handful of U.S. tech companies as they compete with foreign companies. These bills were introduced in June 2021 and were marked up without legislative hearings or input from stakeholders, particularly…