Thoughts On Information Sharing As Congress Introduces Cybersecurity Bill

February 23, 2011

Last week, after much anticipation and delay, the bipartisan Senate cybersecurity legislation, S. 2105 – Cybersecurity Act of 2012, was unveiled.

Though it is laudable that Congress has begun in earnest to attend to the critical cybersecurity threats that face America, there has been little debate about the how information sharing and defense of critical infrastructure will occur in practical terms when, and if, cybersecurity legislation is finally adopted.

While information sharing provisions of the existing bills envision public-private information exchanges, or in the case of H.R. 3523, direct information sharing between U.S. intelligence agencies and the private sector, real-time information sharing appears to be much more difficult to accomplish in practice than is being discussed on the Hill.

For instance, consider the ongoing Defense Industrial Base Cyber Pilot Program (“DIB Pilot”), which began in May 2011 and uses NSA data to protect the computer networks of defense contractors.  According to a Defense Department study, the program obtained by the Washington Post, the DIB Pilot, the threat signatures provided by the NSA were of little help in protecting DIB Pilot networks from cyber attacks beyond what DIB Pilot participants’ existing cyber defense could deal with.

Conclusions may differ – the 17 DIB Pilot participants are defense contractors that already deploy sophisticated cybersecurity defenses – thus similar information provided to less sophisticated entities may provide more impressive results in mitigating cyber attacks.  Expansion of the DIB Pilot program would therefore be  welcomed to determine how information sharing may facilitate greater cyber resiliency in less protected sectors.

Then there is the matter of how information is shared and what information is shared.  For instance, the Post noted that classified data was shared with DIB Pilot participants via hand-delivered paper documents “every two days or so.”  This method of data sharing is antiquated in our networked world.  Without real-time data sharing, information may be obsolete by the time it’s received, and can hardly be put to use to combat an imminent attack.

Further, the results of the DIB Pilot study prompt one to ask whether our intelligence agencies are truly capable, or interested, in sharing their highly classified data with private sector entities.  As chronicled in the 9/11 Commission Report, America’s law enforcement and intelligence gathering agencies are expert in gathering and analyzing data and intelligence, but sharing that data across agencies and through levels of bureaucracy proved difficult.

Now, we are asking our most secretive intelligence gathering organizations to trust other agencies with the data they have collected, and further trust private sector organizations with that data as well.

Sharing with private sector operators of critical infrastructure would necessarily require an even greater cultural leap.

Last week, House Intelligence Committee Chairman Mike Rogers, R-Mich., said that U.S. intelligence agencies have cyber threat detection and intelligence capabilities far advanced than private sector entities.  However, at present, the DIB Pilot results at this point don’t bear this out.

While there is widespread agreement that there is no silver bullet in cybersecurity policymaking, there is consensus that information sharing is the key element in helping private entities protect their networks while giving government cybersecurity officials greater insight into the threats on both public and private networks.  Thus, to get it right, Members of Congress must be certain that the information sharing they envision in legislation will actually streamline information sharing in real-time, rather than merely paper over the bureaucratic challenges of intelligence sharing.

Related Articles

CCIA Dismayed by AG Opposition to Stronger Consumer Encryption Options

Oct 3, 2019

Washington — US Attorney General Barr, along with officials in several other countries, are planning an open letter asking that Facebook not deploy end-to-end encryption to protect consumers using its apps, according to various news reports. Facebook is reportedly developing better encryption features in response to users’ increased demand for more online privacy.  A letter…

European Parliament Vote Calls For Better Handling Of Cybersecurity Vulnerabilities

Jul 10, 2018

Brussels — Today, the European Parliament’s Industry, Research and Energy Committee (ITRE) adopted its report on the proposed EU Cybersecurity Act. The report includes provisions to  improve how EU Member States manage cybersecurity vulnerabilities to avoid large-scale exploitation of software vulnerabilities as seen during the “WannaCry” attack.  Negotiations between the European Parliament, Council and Commission…

Takeaways from Disrupter Series Hearing on The Internet of Things, Manufacturing, and Innovation

Jan 30, 2018

The Internet of Things (IoT) is already impacting and changing the global manufacturing landscape. On Thursday January 18, the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection held a hearing as part of their Disrupter Series on IoT, Manufacturing and Innovation. Specifically, the Committee heard testimony from Rodney Masney, Vice President, Technology…