Recently Dennis Blair, director of national intelligence, presented the Annual Threat Assessment of the U.S. Intelligence Community to the Senate Select Committee on Intelligence and painted a much starker picture of the current state of cybersecurity in the country compared to his testimony last year.
According to Blair, the United States confronts a dangerous combination of known and unknown vulnerabilities, strong and rapidly expanding adversary capabilities, and a lack of comprehensive threat awareness. Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication. It’s no secret that cyber attacks are on the rise but we’ve known this for quite some time. The question we have to ask ourselves is the “so what” factor. We are finally on the right track of understanding the current health of our government’s information security posture, but we have to better understand how we can make this intelligence actionable.
Sensitive information is stolen daily from both government and private sector networks and, as Blair stated, this continues to undermine confidence in our information systems and in the very information these systems were intended to convey. Today, it’s not about acting independently, it’s about taking a top-down approach to bridging the gaps that exists between the private sector and the public sector to fully control and protect our country’s information infrastructure.
It’s absolutely true that private sector organizations should be reporting cyber attacks to authorities, and that the public and private sectors should be working together to analyze weaknesses, combat cyber criminals and reduce the threat of cyber attacks. Without collaboration, how can the threat of cyber attacks be effectively addressed and better managed?
The problem is, at present there exists no viable entity that can serve as a bridge between the public and private sectors, and there are no real incentives for companies to report on security incidents.
Unlike countries such as Singapore that have organizations in place to enable government and private industry to collaborate, sharing information about security weaknesses and attacks, we have no such vehicle in place.
Today, if a company has a cybersecurity problem and wants to notify authorities, the only option is generally to call the FBI. That can result in long delays and in many cases nothing gets done—and the company ends up with negative publicity if the story gets out that there’s been a security breach.
What the U.S. needs is a non-toxic bridge between the private sector and the federal government, which will allow businesses to report incidents using clear definitions of what those incidents are and their impact. This will help us understand attack taxonomy as a country, further allowing us to understand the issues and to actively participate in thwarting these attacks. Some countries have the advantage of imposing data security regulations nationwide on critical infrastructure because they are state-owned. We do not have that benefit, but we need to bridge the two traditionally separate sectors to collaborate and to protect our intellectual property, our way of life, and our future.
The Washington Post recently reported that Google has enlisted the National Security Agency in the name of cybersecurity to help defend Google and its users from future attack. This is a step in the right direction but the effort needs to be much broader and inclusive – bringing corporate America and the public sector together in a cohesive manner.
This entity, which ideally should be created under the leadership of the nation’s new cybersecurity coordinator Howard Schmidt, would also help to educate the public sector and business leaders about the risks of not being prepared for cyber attacks and what needs to be done to effectively protect their corporate crown jewels – their invaluable intellectual property, corporate information and the critical infrastructure that keeps their company going day in and day out.