Preventing the Next Private Sector Cyber Security Breach
07/18/2011 – In rolling out its new cyber defense strategy, Deputy Defense Secretary William Lynn revealed that a foreign intelligence agency stole 24,000 files from a major U.S. defense contractor this March. Lynn added that this incident was just the latest example of how, during the past decade, “terabytes of data have been extracted by foreign intruders from corporate networks of defense companies.”
The announcement again underscores the importance of enhancing private sector cyber security in the United States, where the private sector owns or operates almost all U.S. computer networks, including an estimated 80%-90% of the most critical infrastructure networks. Given that private companies handle sensitive information and manage the overwhelming majority of the U.S. critical infrastructure, public-private cooperation has been a focus of cyber security initiatives for over a decade.
In 1998, President Clinton issued a directive for the federal government to seek to eliminate vulnerabilities to cyber attacks. In 2003, the National Strategy to Secure Cyberspace and a Homeland Security Presidential Directive gave the new Secretary of Homeland Security responsibility for coordinating enhanced infrastructure protection efforts. in 2007, the Bush administration launched a Comprehensive National Cybersecurity Initiative (CNCI) to bolster infrastructure protection programs. Sector Coordinating Councils have been established to institutionalize public-private cooperation for various critical infrastructure sectors. The National Cybersecurity and Communications Integration Center provides a more general forum for homeland security engagement between industries and the government.
The National Infrastructure Protection Plan (NIPP) outlines guidelines for public-private partnerships in securing critical infrastructure, including provisions for owners and operators to have access to information, ensuring that industries are involved in initiatives and policies at their outset, and supporting research to enhance security. The Department of Homeland Security (DHS) allows sectors to identify cyber assets that may have nationally significant consequences through cross-sector cyber methodologies based on the NIPP risk management framework. Responsibility of monitoring private networks remains with the private sector.
In 2009, as part of the Obama Administration’s Comprehensive National Cybersecurity Initiative, the National Security Council and the Department of Homeland Security (DHS) conducted an examination of U.S. cybersecurity policy. The resulting Cyberspace Policy Review found that the United States was facing mounting cyber threats and had to improve both public and private sector cyber defenses.
DHS appears to have overcome some early problems in this area and has recently successfully partnered with the private sector on several initiatives. For example, the Departmemt has worked with companies including Visa, Cisco, and Google on major public education and outreach efforts such as the National Cyber Security Alliance (NCSA), which sponsors that staysafeonline.org website and an annual National Cybersecurity Awareness Month in October.
DHS also cooperates with the private sector in the biennial Cyber Storm exercise series. These DGS-led exercises aim to increase public and private sector preparedness for a cyber attack by rehearsing the strategic decision making capabilities of agencies as well as their ability to cooperate together and with non-federal entities in a cyber incident. Cyber Storm III in September 2010 involved 60 private companies from the finance, chemical, communications, dams, defense, IT, nuclear, transportation and water sectors as well as some sector coordinating councils.
Cyber Storm III was also the first test of the National Cybersecurity and Communication Integration Center (NCCIC), which was inaugurated in October 2009. According to DHS, NCCIC is an always open entity that generates a common cyber and communications operating picture across federal, military, and private sector The NCCIC coordinates information from within DHS, among other federal agencies such as the Department of Defense, Federal Bureau of Investigation, and National Security Agency, and between the public and private sectors. The NCCIC is responsible for coordinating the preparation and response to a cyber attack among the public and private sectors.
The United States Computer Emergency Readiness Team (US-CERT), the operational arm of the DHS National Cyber Security Division, disseminates “reasoned and actionable cyber security information to the public.” US-CERT offers free cyber security training to operators of control systems for critical infrastructure. DHS also works with the Federal Emergency Management Agency (FEMA) to provide free online cyber security training for IT professionals and businesses.
In December 2010, the National Institute of Standards and Technology (NIST) of the Department of Commerce joined with the DHS Science and Technology Directorate (DHS/S&T) and the Financial Services Sector Coordinating Council (FSSCC) to conduct accelerated “collaborative research, development, and testing activities for cybersecurity technologies and processes based upon the financial services sector’s needs.”
The Federal Bureau of Investigation (FBI) also supports private sector cyber security. Its Cyber Action Teams (CATS) of FBI agents can quickly deploy to investigate cyber intrusions. For example, the FBI assisted Google this May to investigate the hacking of U.S. government officials’ Gmail accounts. The InfraGard program partners FBI with state and local governments as well as the operators of critical infrastructure designed to increase communication and information sharing between those entities that protect and operate critical U.S. infrastructure.
During their 111th session, members of Congress introduced approximately 50 cyber security bills. At the request of the Senate leadership, the Obama Administration formulated a comprehensive legislative proposal designed to address an array of cyber security concerns addressed in these bills.
On May 12, 2011, the Obama Administration released its Cybersecurity Legislative Proposal. Its stated aim is to strike a balance between the concerns of industry and the patent need for greater cyber security through enhanced public-private cooperation to better protect Internet-based networks. Both administration and congressional leaders have stressed that the proposal represented a contribution to congressional deliberations and would likely be amended by the half dozen committees having jurisdiction over public-private cyber security issues.
Although many industry leaders applaud government efforts to bolster national cyber defenses, some private sector stakeholders have expressed concern that increased federal intervention in private cyber networks would impose excessive burdens and thereby stifle innovation and commerce.
Critics have suggested that regulation could actually have adverse effects on the private sector’s ability to parry cyber-attacks. They assert that creating cyber security frameworks designed to meet compliance standards would not be cost effective given the wide variation among systems and networks as well as the rapid change of information technology. In this regard, private sector leaders have warned that an overly broad definition of what constitutes “critical” national infrastructure could result in the government’s imposing excessively wide cyber security mandates across the private sector.
The Obama administration has sought to reassure the private sector that its proposal would not overly burden corporations and other non-governmental entities. Administration representatives have affirmed their general opposition to a top-down approach that employs heavy government regulations to cyber security partnerships and instead have backed a bottom-up approach driven by market forces and self-regulation. In most industry sectors, firms would be responsible for establishing their own cyber security standards and for developing and validating plans to achieve them. The federal government could assist this process only if the firms involved requested help.
Only in the case of “core” critical infrastructure, which would be identified through standard agency rulemaking processes that are open to industry participation, could DHS compel companies to adopt specific remedial measures if federal regulators deemed the existing standards and plans inadequate. These would be subjected to a third-party commercial audit and, if the operator already reports to the U.S. Securities and Exchange Commission, SEC certification of their plans. DHS would then work with businesses to improve plans deemed insufficient.
The administration’s proposal would bolster DHS capabilities in this area in any case by enhancing the Department’s abilities to defend civilian government networks. DHS will now replace OMB as the manager of the Federal Information Security Management Act and develop and implement intrusion detection systems along with oversight through annual certification to verify their effectiveness. DHS would also receive the same authorities as the Department of Defense to hire more cyber security professionals on an accelerated basis. DHS would also receive authorization to exchange cyber security experts with the private sector to enhance mutual understanding.
Beyond DHS assistance to other federal agencies, the administration’s proposal aims to clarify DHS’s role in helping state and local governments as well as private companies respond to cyber attacks. The Obama administration recommends that legislation should provide DHS with a clear statutory framework for action in the cyber security realm that would enable the Departmemt to respond more rapidly to requests for assistance without fear of overstepping its authority. This initiative aims to address a recurring private sector complaint that the government was not providing them with sufficient actionable threat information and cyber alerts.
Conversely, public bodies complain that private companies are excessively reluctant to relate information about cyber attacks, degrading mutual situational awareness and complicating efforts to assess and strengthen national cyber security programs. State and local governments as well as private companies may be unsure of what cyber security information they can safely share with federal government entities.
Business leaders hesitate to provide sensitive, proprietary data for fear government action could harm their competitiveness if proprietary information reaches their competitors. Furthermore, company executives often fear that sharing information about private individuals could expose them to potential legal action on civil liberty grounds.
The Obama administration wants legislation to grant limited legal immunity to organizations including private companies that share cyber security information with DHS. To facilitate matters, the administration would replace the existing hodgepodge of 47 separate state “breach” notification laws with a single requirement that a firm that experiences a cyber intrusion that could have gained access to information about private individuals must report that breach to DHS. The new rule would also specify when and how the company must notify the affected customers.
As a form of deterrence, the proposal would modernize other laws and regulations to address cyber crimes. For example, it would extend the scope of some laws to Internet crime and increase penalties for cyber crime so that they match those imposed for non-Internet illegalities.
The administration’s proposal also stresses the need for measures to ensure that shared information and other public-private cyber security collaboration does not impinge on civil liberties. The proposed privacy protection framework includes new oversight, reporting, and annual certification requirements to ensure that cybersecurity technologies are used only for their lawfully intended purposes.
A final area of private sector concern is that U.S. government action to establish industry standards could prompt foreign governments to institute their own, different standards. This process could result in a “Balkanization” of the Internet that would impede global commerce. The private sector would also like the U.S. government to try to make U.S. industry best practices the global standard for cyber security.
Along with the Cybersecurity Legislative Proposal, which focuses on domestic cyber security, the Obama administration released an International Strategy for Cyberspace with the goal of maintaining an “open, interoperable, secure, and reliable cyberspace.” To realize this goal, the Strategy states that the United States will partner with other national governments to promote benign international norms for cyber security that favor the growth of global commerce. The administration also wants to enhance international cooperation in cyber law enforcement since cyber criminal organizations are often transnational actors that exploit the almost borderless world of the Internet.
Several Congressional Committees have held hearings on the administration’s proposal. Many of the suggested changes have been welcome, but there have been several recurring objections. For example, whereas the administration would rely on market disincentives to drive behavior (e.g., companies’ desire to avoid losing customers, including federal procurement contracts, or paying higher insurance premiums through exposure of weak cyber security practices), members of Congress have called for more positive incentives such as tax subsidies for adopting superior cyber defenses.
Another congressional concern is to limit the president’s ability to “kill” the Internet in a national emergency by specifying what an administration can do under crisis conditions. Members have also sought to constrain the immunities given firms that experience a data breach through negligence or other problematic behavior.
Finally, many members of Congress want to replace the current White House-appointed Cyber Coordinator with a more powerful official who would also be more responsible to Congress through a requirement for Senate confirmation of any nominee for that position.