By Alex Liao
With recent cyberattacks on defense corporations including Lockheed Martin and Northrup Grumman, cybersecurity has gained its place in the public consciousness. Indeed, President Obama declared that the “cyber threat is one of the most significant economic and national security challenges we face as a nation.” In May, the Obama Administration released a Cybersecurity Legislative Proposal aimed at securing and safeguarding the nation’s network infrastructure in light of growing threats online.
In its proposal, the White House emphasized the primacy of public-private partnerships in developing a cohesive cybersecurity policy. In the status quo, companies often have little incentive to share information about cyberattacks, such as data breaches, which can erode public confidence in the company. The White House seeks to incentivize private cooperation with government in order to work together in protecting the nation’s security systems. In particular, the proposal will unify 47 divergent state notification laws on identity theft, creating a more cogent system for reporting requirements. This mandates that organizations must inform citizens when personal information has been compromised. Moreover, the proposal will attempt to unify criminal penalties for hacking the nation’s critical infrastructure system, and permits the government to share information with organizations that manage critical infrastructure with guarantees for immunity. In this way, the Administration aims to ultimately create a transparent security apparatus that can simultaneously ensure that information which organizations share will not be used to impinge citizens’ civil liberties, while incentivizing the distribution of information in the first place. Hence, the cooperative system melds both the private and public sectors to create a more unified security basis.
On the individual level, the Obama Administration aims to allow the Department of Homeland Security to develop and implement intrusion detection systems, with oversight embedded alongside annual certification to verify the safeguards’ rigor. This authority, which would be vested from an updated Federal Information Security Management Act, would also allow the Department of Homeland Security to hire more cybersecurity professionals to bolster the amount of human capital in the fight. This plank of the proposal would require cooperation with the private sector in the wake of cyberattacks, cooperation which is currently fractured due to the various state laws. The proposal would end the inequity with national and unified cybersecurity legislation.
Currently, federal policy permits the Department of Homeland Security and Department of Defense to defend .gov and .mil network space. However, this scale of coordination does not exist for private networks. There is little regulatory oversight or enforcement mechanisms in place over the private sector as a whole. In cases where government does work with the private sector, information sharing is voluntary. In turn, a quasi-balance has been created, between sharing enough information for cybersecurity collaboration with other companies, and protecting confidential information. The Obama Administration, then, is attempting to increase collaboration while providing assurances for companies’ privacy.
Instead of strict regulation, the Pentagon has worked directly with defense contractors, creating a partnership called the Enduring Security Framework in 2007 with large technology and defense companies to safeguard their computer systems. The Defense Industrial Base effort under the Department of Homeland Security also works with defense companies to protect their intellectual property and coordinate responses to intrusions. Nevertheless, it has been criticized for its poor technological expertise. Several shortfalls include the inability to determine the identity of perpetrators of cyber intrusions and the methods of intrusion. Counter-intrusion strategies have also been revealed to be over a decade old. Hence, while defense companies have been able to detect intrusions and provide short-term fixes, they can do very little in terms of eradicating the problem.
With the creation of the U.S. Cyber Command under the Department of Defense, the nation has gained the ability to develop a cogent cybersecurity doctrine and to train cybersecurity specialists. Its partnership with the Department of Homeland Security, called “Active Defense,” allows it to work with Tier 1 Internet service providers – which are involved in critical infrastructure systems – to stop malware and other privacy concerns from infiltrating networks. Moreover, working with private sector professionals, the federal government has set up the United States Telecommunications Training Institute to train professionals around the world in cybersecurity and in related fields. It has additionally worked with the International Telecommunications Union to develop capacity-building study groups and international risk standards. Likewise, on the international level, the third iteration of Cyber Storm – the Department of Homeland Security’s biennial cybersecurity exercises – contained extensive private sector contributions, including 60 private sector companies. The exercise helped implement the National Cyber Response Plan to coordinate future public-private strategies in the case of cybersecurity emergencies. Hence, private sector participation in cybersecurity efforts has proved to be readily available, with critical infrastructure companies playing integral roles in the Cyber Storm exercises.
Nevertheless, the current level of public-private partnerships leaves much work to be done, as both parties require at least a baseline level of cybersecurity defense above the current haphazard, overlapping security landscape which readily excludes private companies who are unwilling to participate. Of course, the high risk of cybersecurity threats warrants higher levels of public-private cooperation, which may inevitably include regulation and oversight. With increased regulation comes increased risk of outcry or backlash from the business community.
On the whole, private industry has been receptive to the federal government’s cybersecurity initiatives. Intellectual property theft causes multibillion dollar losses for high-profile companies, which could also be hurt from the negative stigma attached to a public announcement of a data breach or cyberattack. Notwithstanding, private companies often withhold information that could prove useful to stifling cyber intrusions or coordinating with other companies. Especially with classified information in the hands of defense companies, the current system of voluntary relationships creates roadblocks to a successful cybersecurity doctrine. Draft legislation in Congress could potentially provide incentives or reimbursements to encourage companies to cooperate with a more stringent regulatory apparatus based on risk-based performance standards developed by the Department of Homeland Security. Moreover, drafting federal security standards collaboratively on a public-private level would override the vagaries of haphazard state laws and regulations.
Members of the Congressional Cybersecurity Caucus, however, were displeased at the lack of an Office of Cyberspace in the White House’s proposal. They argue that more concrete incentives and legal requirements are necessary for companies to consider sharing more personal information. They cite breaches in Sony’s security over the past few months, which require more specific legislation than the one proffered by Obama’s staff. Private sector firms, such as Imperva and SpiderLabs, which called for more specific action from the private-public partnerships, corroborated this sentiment.
Hence, companies have largely avoided criticism of the federal government’s overtures in the cybersecurity realm. Under future regulation, according to Obama’s proposal, industry professionals would be able to set their own standards with government approval and without the threat of any monetary fines. Private organizations would also be immune from lawsuits when sharing information with the federal government. Moreover, there is significant indication that the safeguards will never be developed. The privacy and civil liberties oversight board created to deal with the situation has seated only two of five members, and holds little power over enforcement of standards. Thus, the voluntary, collaborative public-private partnership appeals to private companies, especially security firms who stand to gain demand for their products.
The companies most affected by the Obama Administration’s cybersecurity strategy, however, are critical infrastructure businesses. These include companies that manage systems which manage substantial areas of the nation’s security, economy, and public health. The administration has taken a staunchly protective posture on these companies, placing great emphasis on them in its policy. For instance, it has requested a mandatory minimum three-year prison sentence for hackers who cause significant harm to critical infrastructure systems. While protecting them, however, the enforcement mechanisms for cybersecurity compliance remain lean and favor businesses. For instance, industry audits of these companies under Obama’s proposal will open the door for abuse, allowing companies to simply pay auditors to certify their security systems. Moreover, the national data breach notification law will supplant state laws, which some lawmakers argue are more stringent than Obama’s proposal. Despite these concerns, critical infrastructure businesses contend that the unified cybersecurity strategy will institute new, tougher standards for the entire United States. Representatives of the Business Software Alliance and the Financial Services Roundtable came out strongly in support of new steps forward in national cybersecurity legislation, calling them necessary for the prevention of ever-growing cyberattacks.
This does not mean the federal government intends to ignore non-critical infrastructure. On the contrary, the Department of Commerce recently released recommendations for online companies to buttress cybersecurity protections. It advocated for the establishment of codes of conduct and sought to create government incentives for companies to adopt more robust security systems and improve cybersecurity training. While non-critical infrastructure companies remain outside the sphere of regulation, the Commerce Department intends to seek industry input to establish greater cybersecurity cooperation. For example, it proposed the creation of an online identification system to prevent online fraud. These voluntary proposals have been welcomed by businesses, with public support from the Software and Information Industry Association. Therefore, government action in this arena primarily stands to bolster companies’ cybersecurity efforts without imposing any roadblocks to growth. Indeed, online fraud cost U.S. businesses $37 billion dollars in 2010, creating a significant economic incentive for companies to listen.
Thus, on the whole, the United States Federal Government’s cybersecurity proposals and policies engender an accommodative setting for public-private partnerships to flourish. Support from business groups confirms this notion, as does the lack of public outcry over the administration’s recent overtures on the issue. Hence, little resistance to federal cybersecurity policy should be expected in the near term. As high-profile cyberattacks of Nasdaq, Sony, Google, RSA, Lockheed Martin, and most recently Citigroup emerge, the private industry will naturally seek a more unified system for cybersecurity collaboration in order to reduce risk and limit potential liabilities of data breaches. The federal government, then, must carefully balance the needs of the private sector with the necessity of maintaining a stringent cybersecurity regime which can cogently assess companies’ cybersecurity defenses.
1 The White House, “FACT SHEET: Cybersecurity Legislative Proposal,” Office of the Press Secretary of The White House, May 12, 2011, http://www.whitehouse.gov/the-press-office/2011/05/12/fact-sheet-cybersecurity-legislative-proposal.
2 Grant Gross, “Lawmakers question Obama cybersecurity proposal,” CSO, May 25, 2011, http://www.csoonline.com/article/682966/lawmakers-question-obama-cybersecurity-proposal.
3 Bonney Kapp, “White House lays out cyber-security proposal,” CNN, May 12, 2011, http://whitehouse.blogs.cnn.com/2011/05/12/white-house-lays-out-cyber-security-proposal/.
4 Zeljka Zorz, “Obama administration reveals cybersecurity plan,” Help Net Security, May 16, 2011, http://www.net-security.org/secworld.php?id=11027.
5 Lisa Daniel, “Pentagon, Homeland Security Collaborate on Cybersecurity, American Forces Press Service, May 23, 2011, http://www.defense.gov/news/newsarticle.aspx?id=64045.
6 Greg Masters, “Reaction to White House proposals mixed,” SC Magazine, May 13, 2011, http://www.scmagazineus.com/reactions-to-white-house-proposals-mixed/article/202773/.
7 CSIS Commission on Cybersecurity for the 44th Presidency, “Cybersecurity Two Years Later,” Center for Strategic & International Studies, January 2011, pp. 7-8, http://csis.org/files/publication/110128_Lewis_CybersecurityTwoYearsLater_Web.pdf.
8 Marjorie Morgan, “ISAlliance on Defense Industrial Base Cybersecurity,” The Internet Security Alliance, April 21, 2010, https://www.infosecisland.com/blogview/3753-ISAlliance-on-Defense-Industrial-Base-Cybersecurity.html.
9 U.S. Government Accountability Office (GAO), “Cyberspace: United States Faces Challenges in Addressing Global Cybersecurity and Governance,” GAO, July 2010, pp. 22-23, http://www.gao.gov/new.items/d10606.pdf.
10 U.S. Department of Homeland Security, “Cyber Storm: Securing Cyber Space,” U.S. Department of Homeland Security, September 27, 2010, http://www.dhs.gov/files/training/gc_1204738275985.shtm.
11 Robert K. Knake, “Internet Governance in an Age of Cyber Insecurity,” Council on Foreign Relations Press, September 2010, pp.5, http://www.cfr.org/terrorism-and-technology/internet-governance-age-cyber-insecurity/p22832.
12 Sean Lawson, “Richard Clarke Responds to Administration Cybersecurity Proposals,” Forbes, June 03, 2011, http://blogs.forbes.com/seanlawson/2011/06/03/richard-clarke-responds-to-administration-cybersecurity-proposals/.
13 Kim Zetter, “White House Wants Mandatory Three-Year Sentence for Critical-Infrastructure Hackers,” Wired, May 13, 2011, http://www.wired.com/threatlevel/2011/05/white-house-cybersecurity/.
14 Kelly Riddell, “Online Companies Urged by U.S. to Boost Their Cyber Defenses,” Bloomberg, June 08, 2011, http://www.bloomberg.com/news/2011-06-08/online-businesses-urged-by-u-s-to-bolster-their-cyber-defenses.html.