The linchpin of President Obama’s recently launched cybersecurity initiative is to encourage the private sector to share information to better defend against cyberattacks.
Yet US companies have historically been wary of openly talking about their cybersecurity efforts with competitors and with government — for good reason.
Many businesses fear that sharing threat-related information could expose them to liability and litigation, undermine shareholder or consumer confidence, or introduce the potential for leaks of proprietary information.
For some companies, Edward Snowden’s revelations of sweeping government surveillance programs have reinforced the impulse to hold corporate cards close to the vest. Yet on the heels of a deluge of high-profile cyberattacks and breaches against numerous US companies, we may finally have reached a tipping point, where potential harm to reputation and revenue now outweighs the downside of disclosure from a corporate perspective.
Blueprint for safer internet
Obama’s executive order is meant to shore up public health and safety, as well as national and economic security, by promoting the exchange of information on cybersecurity risks and incidents. The goal is to share data within and between industries to foster speedy and effective response to cyberthreats.
The executive order empowers the Secretary of Homeland Security to “strongly encourage the development and formation of Information Sharing and Analysis Organizations” (ISAOs), “organized on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities.” These ISAOs are intended “to serve as focal points for cybersecurity information sharing and collaboration within the private sector and between the private sector and government.”
In addition, three days before the announcement of the executive order, the White House announced the creation of a national Cyber Threat Intelligence Integration Center (CTIIC). Akin to the National Counterterrorism Center, the CTIIC will work to “connect the dots between various cyberthreats to the nation so that relevant departments and agencies are aware of these threats in as close to real time as possible.” The ultimate objective is to “facilitate and support efforts by the government to counter foreign cyberthreats.”
The idea underlying the executive order and companion measures is to make it harder for cybercriminals and worse to achieve their prize, be it profit, intellectual property, state secrets, or geo-strategic advantage. For too long, too many factors have operated in the cyberattacker’s favor.
Despite the fact that the executive order lacks the force of legislation (only Congress can introduce liability protections, for instance), private sector companies may choose to cooperate. And corporate compliance, while voluntary, is crucial because more than 80% of US critical infrastructure is privately owned and operated. Each such sector is, in and of itself, essential to US national and economic security.
Models for cooperation
Keeping enterprises up and running is all the more important because their operations may be intertwined with one another. Taking down one sector, such as the electric grid for example, may therefore bring down others, yielding cascading and potentially catastrophic effects for the country. The good news is that collaboration between and among private entities is already underway, and one size need not fit all.
Take, for example, the Financial Services Information Sharing and Analysis Center (FS-ISAC), which facilitates sector-wide exchanges regarding cyber-related threats and their remediation. Or consider Microsoft’s Cybercrime Center, which works in tandem with law enforcement and other partners worldwide to disseminate information and thwart criminals. These are just two examples of corporate actors spearheading initiatives that pre-date the executive order and that serve both the public and private interest.
Letting a thousand flowers bloom — or encouraging flows of information between industries and government — may seem like a chaotic approach, yet existing efforts have achieved some real success. More such endeavors, tailored to context, may in fact prove constructive as the cyber-threat ecosystem continues to evolve.
For example, a group of US companies (including McAfee and Symantec) are banding together to form a “Cyber Threat Alliance” which aims “to disperse threat intelligence on advanced adversaries across all member organizations to raise the overall level of situational awareness to better protect both the…organizations and their customers.” After all, it is companies themselves that usually have the greatest incentives to protect their own assets. Yet companies need to understand and respect the contours of what constitutes lawful defense and response, consistent with government’s rules of the road which, admittedly, are a work in progress, at best.
Other countries are also grappling with the question of how to effectively protect systems and networks, both private and public. Leading the pack is Estonia, an early target of cyberattack (2007) and an early adopter of e-governance (government services provided online), with a continuing commitment to innovation and digital security that is widely shared by officials and entrepreneurs alike. The country’s latest cyber-initiative is bold and ambitious: creating “digital data embassies” worldwide and offering “digital citizenship” (“e-residency rights”) to all who are prepared to meet the requirements. This gambit has dual goals: protect data and services in the event of cyber-attack and, secondly, facilitate additional foreign investment in the country and thereby generate economic growth.
National imperative and individual duty
What works for Estonia may not be a good fit – at least in totality - for other nations. The country is small in terms of terrain and population, and did not have to contend with legacy issues when building its infrastructure from the ground up after regaining their independence from Soviet rule in 1991. But the principles of Estonia’s policies are certainly instructive.
These include a whole-of-society approach to cybersecurity that incorporates the discipline (coding, programming, etc) into the education system and curricula, beginning in first grade and continuing through to university. The result is a prevailing culture and mindset that conceives of cybersecurity as both a national imperative and an individual duty.
As the United States seeks to elevate its cybersecurity posture in ways that best suit its size, economy, circumstances, and traditions (based on history, respect for privacy and civil liberties, and so on), it will be important to complement private sector information-sharing efforts with a host of other measures.
These include building a cyberworkforce that is sufficiently large and skilled to meet existing and future US needs. It means designing and engineering secure systems and architectures. It also includes cultivating an operating culture (in government and business) that recognizes cybersecurity to be a priority from the get-go as opposed to an afterthought. Falling short here will negatively affect US national and economic security.
This month’s executive order is a spur to get the ball rolling but, frankly, there is a limit to what government alone can (and should) do in this area. Changes in attitudes and behaviors are needed across the board, right down to families and individuals.