“If your neighbor’s house gets broken into, you’d want to know about it.”
That was how John Landwehr, Vice President for Digital Government Solutions at Adobe Systems, put a fine point on the need for efficient and effective sharing of cyber threat information. He spoke at a packed briefing BSA hosted today on Capitol Hill to help educate House staff on issues involved in cyber legislation now pending in Congress.
Landwehr used the analogy of a home invasion to illustrate what information ought to be shared, with whom, and for what purpose: You would want to know how the break-in occurred so you could take appropriate steps to protect your house from the same type of crime. You would want others in the neighborhood to know, too, so they could take similar steps. And you would want the police to know, so they could track down the thief.
It is similar with cyber threat information, so there needs to be an appropriately robust and well-functioning system for sharing warnings. Jeff Greene, Senior Policy Council with Symantec, described it at today’s briefing as “tri-directional” sharing: Actionable information needs to flow from government to the private sector, from the private sector to government, and between entities in the private sector.
Some of this kind of sharing is already occurring, Greene noted. Some. But it is not nearly as efficient as it needs to be. Greene said there needs to be much faster processing of information to effectively combat threats, and key obstacles need to be removed, such as legal restrictions. Greene also noted that legislation to promote information sharing needs to be precise about what can be shared — namely, pertinent threat information — and what it can be used for: taking appropriate protective and enforcement measures against cyber threats and crimes.
Effective information sharing in the private sector might be where there is the biggest “bang for the buck.” But government leadership also is critical in bolstering the country’s cyber readiness, said panelist Angela McKay, a Senior Security Strategist at Microsoft. McKay outlined three forms government leadership should take: leadership by example, leadership by empowerment, and leadership through long-term commitment.
For the government to lead by example, McKay said Congress should reform the Federal Information Security Management Act to ensure that federal agencies no longer go through bureaucratic “check-the-box” exercises to inspect their systems but instead engage in continuous monitoring and improvement. For government to lead by empowerment, legislation needs to facilitate an information sharing process that gets warnings about specific threats not just in front of those who “need to know” but also in front of those who “need to act.” Finally, to bolster the country’s security for the long term, legislation should promote investment in cyber training, research and development. All of these issues are addressed in bills set to be debated on the House floor next week.
The striking thing in the unfolding cybersecurity debate is the extent to which diverse stakeholders agree on the practical outlines of what ought to be done, legislatively. Civil liberties advocates have voiced substantive concerns with the privacy implications of provisions currently contemplated in the Cyber Intelligence Sharing and Protection Act, sponsored in the House by Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.). But Greg Nojeim, Senior Counsel at the Center for Democracy & Technology, made clear they agree with the basic idea of beefing up cyber readiness through information sharing — as long as legislation carefully defines what kind of information can be shared with government and how it can be used.
Nojeim argued for a definition of actionable threat information that will be easy for IT professionals and their companies’ lawyers to understand and apply. Nojeim also outlined restraints CDT would like to see on how wide a net can be cast in monitoring for potential threats and how information gleaned from the private sector can be used by government.
BSA Director of Government Relations Tim Molino, who moderated today’s briefing, said it is clear legislation must strike the right balance between America’s dual interests in bolstering cybersecurity and protecting privacy.
The good news is there is time and opportunity to address remaining concerns in the bill. Rogers and Ruppersberger have opened their doors to stakeholders — and they, their staffs, and groups like CDT and BSA are actively engaged in a constructive dialogue.