Last week, after much anticipation and delay, the bipartisan Senate cybersecurity legislation, S. 2105 – Cybersecurity Act of 2012, was unveiled.
Though it is laudable that Congress has begun in earnest to attend to the critical cybersecurity threats that face America, there has been little debate about the how information sharing and defense of critical infrastructure will occur in practical terms when, and if, cybersecurity legislation is finally adopted.
While information sharing provisions of the existing bills envision public-private information exchanges, or in the case of H.R. 3523, direct information sharing between U.S. intelligence agencies and the private sector, real-time information sharing appears to be much more difficult to accomplish in practice than is being discussed on the Hill.
For instance, consider the ongoing Defense Industrial Base Cyber Pilot Program (“DIB Pilot”), which began in May 2011 and uses NSA data to protect the computer networks of defense contractors. According to a Defense Department study, the program obtained by the Washington Post, the DIB Pilot, the threat signatures provided by the NSA were of little help in protecting DIB Pilot networks from cyber attacks beyond what DIB Pilot participants’ existing cyber defense could deal with.
Conclusions may differ – the 17 DIB Pilot participants are defense contractors that already deploy sophisticated cybersecurity defenses – thus similar information provided to less sophisticated entities may provide more impressive results in mitigating cyber attacks. Expansion of the DIB Pilot program would therefore be welcomed to determine how information sharing may facilitate greater cyber resiliency in less protected sectors.
Then there is the matter of how information is shared and what information is shared. For instance, the Post noted that classified data was shared with DIB Pilot participants via hand-delivered paper documents “every two days or so.” This method of data sharing is antiquated in our networked world. Without real-time data sharing, information may be obsolete by the time it’s received, and can hardly be put to use to combat an imminent attack.
Further, the results of the DIB Pilot study prompt one to ask whether our intelligence agencies are truly capable, or interested, in sharing their highly classified data with private sector entities. As chronicled in the 9/11 Commission Report, America’s law enforcement and intelligence gathering agencies are expert in gathering and analyzing data and intelligence, but sharing that data across agencies and through levels of bureaucracy proved difficult.
Now, we are asking our most secretive intelligence gathering organizations to trust other agencies with the data they have collected, and further trust private sector organizations with that data as well.
Sharing with private sector operators of critical infrastructure would necessarily require an even greater cultural leap.
Last week, House Intelligence Committee Chairman Mike Rogers, R-Mich., said that U.S. intelligence agencies have cyber threat detection and intelligence capabilities far advanced than private sector entities. However, at present, the DIB Pilot results at this point don’t bear this out.
While there is widespread agreement that there is no silver bullet in cybersecurity policymaking, there is consensus that information sharing is the key element in helping private entities protect their networks while giving government cybersecurity officials greater insight into the threats on both public and private networks. Thus, to get it right, Members of Congress must be certain that the information sharing they envision in legislation will actually streamline information sharing in real-time, rather than merely paper over the bureaucratic challenges of intelligence sharing.