In October, the Senate passed a controversial new bill called the Cybersecurity Information Sharing Act (CISA). This bill is strikingly similar in language and intent to the Protecting Cyber Networks Act passed by the House in April as they both focus on information sharing among private entities and between them and the federal government. With the two bills now reconciled by House and Senate negotiators and included in the omnibus budget spending bill, the combined bills join the Federal Information Security Management Act (FISMA), which modernized roles, responsibilities, and requirements for management of information security and the National Cybersecurity Protection Act, which codified the National Cybersecurity and Communications Integration Center (NCCIC), as significant pieces of legislation to address the growing cybersecurity threat facing the United States.
As the words “Information Sharing” embedded in the act’s name would suggest, the core concept behind CISA is to incentivize information sharing between the private sector and U.S. government departments and agencies. The legislation provides needed clarity for private and public entities to share information, and in so doing, takes steps to develop trust with private companies. Despite significant differences of opinion among partisans on both sides of the aisle, a consensus that “something had to be done” was achieved to prevent, and in some cases possibly retaliate against, the rampages of hacktivism by criminals, terrorists and nation states. As Senator Dianne Feinstein (D-CA) put it post-passage–“we need to enable a cooperative effort to share critical information about cyber threats between private sector companies and the government.”
A dangerous degree of private immunity
That statement addressing the urgency of greater information sharing and collaboration might seem innocuous. However, nearly every privacy advocate and civil liberties group agreed that it offered a dangerous degree of legal, legislative and investigative immunity to private companies that share potentially sensitive personal data and information with government agencies.
The privacy community certainly has ample reason to question a lack of specificity in the proposed law’s “information sharing” language, particularly when combined with a virtually unprecedented carve-out that would exempt the details of such sharing from the purview of the federal Freedom of Information Act, which allows for the full or partial disclosure of previously unreleased information and documents controlled by the U.S. government. Also, some of the private companies opposed to the bill have important commercial interests to consider. The competitive climate in the global tech industry, most especially in the wake of rogue National Security Agency (NSA) contractor Edward Snowden’s accusations of secret pacts between the NSA and U.S. telecom and tech companies, has changed dramatically. With their former role as alleged sources for the intelligence community, a fair number of such enterprises have publicly decried any initiative intended to induce them to share information with government agencies which might threaten to erode their increasingly fragile share of business, most especially with European and Asian rivals.
Yet even as this spirited debate continues, legal, ethical and social issues at play pale by comparison to a far more pertinent practical question: Now that CISA is going to serve as the U.S. legal and policy framework for fighting this 21st century cyberwar, what might the execution of this legislative policy directive look like?
Proposals on the table
Two current initiatives, one proposed and originating in the public sector and the other in the private domain, represent how the indisputably vague term “information sharing” might manifest.
First, the General Services Administration (GSA), the agency responsible for managing the real estate assets and facilities of the federal government, recently published a request for a $35 million Congressional appropriation to fund the construction of “a resilient, efficient, Federally-owned civilian cyber campus solution.” The GSA says this “will serve the expanding needs of the federal government’s global civilian cyber security efforts and will create a centralized, visible, civilian-led organization that [will] promote secure collaboration…enhance public-private cooperation with increased opportunities for collaboration…and develop a working environment to support the recruitment, development, and retention of best-in-class cyber professionals.”
Second, Microsoft CEO Satya Nadella, recently divulged in a speech to government technology workers the rationale behind his company’s decision to construct a centralized cyber-security center on Microsoft’s Seattle campus. As he explained, “We’re bringing together all the operational security people across our company…in one operations center called the Cyber Defense Operations Center, which is like any intelligence operation [in that] we don’t have silos. We actually have people who are able to in real-time connect the dots between what’s happening across all of these services.”
A longtime proponent of information sharing, Mike McConnell, a former Director of both National Intelligence and the NSA stated:
When Joe sits next to Sam, who sits next to Sally, and when all three work side by side, day in and day out, it becomes humanly impossible (or less probable) for the people involved to continue to wage the mindless and trivial bureaucratic turf battles that have long been identified as the primary obstacles to achieving success in countering the threats posed by global terrorism and cyber-attacks.
Two better ways forward
The growing wave of cyber-attacks underscores the urgency of formulating a practical solution that addresses the disparate technical, legal, ethical, jurisdictional, bureaucratic and organizational challenges that currently hamper an effective cyber defense. Two such recommendations for a practical way forward would be the following.
A unified cyber-defense command center
First, the country lacks a coherent approach for deconflicting the cross-government jurisdictional roles and responsibilities for cyber-attacks, which are dependent on the determination of attribution and intent. The speed and anonymity of cyber-attacks makes determining attribution (criminals, nation states, hacktivists or terrorists) and intent (cybercrime, cyberterrorism, economic espionage and political/military espionage) difficult. Since jurisdictional authority needs to be determined in real-time, while an attack is in progress, it is imperative that the United States design a protocol to enable public and private sector entities to mount an effective response before determining attribution and intent. A proposed solution to this challenge would include the construction of a unified cyber-defense command center located on a federal campus to house a dream team of experts who work for and answer to both private companies and public agencies and who would have a real-time shared situational awareness of cyber-attacks as they occur. As the cyber-attack develops and attribution and/or intent can be determined, the government agency having the appropriate legal authority would assume primary leadership.
Additionally, as over half of the critical infrastructure requiring imminent protection from cyber-attacks is owned, operated and controlled by the private sector, it is crucial to have cyber experts representing critical infrastructure, ISPs and tech industries co-located with experts from government agencies including the Department of Homeland Security, Defense, Commerce, Treasury, NSA, Federal Bureau of Investigation, Central Intelligence Agency and the U.S. Secret Service, working together at a single site to share the real-time situational awareness previously referenced. Furthermore, a predictable byproduct of the countless and casual personal interactions that inevitably arise from working together in physical proximity over significant periods is a rare commodity: trust. And trust is widely understood to be both the social glue and lubricant that will likely lead to the sharing and collaboration between public and private parties envisioned by the drafters of CISA.
One useful precedent for such an initiative dates back to the early days of counter-terrorism, when the federal government attempted to address this same fatal flaw in our counter-terror defense. Federal agencies’ and agents’ pronounced disinclination, verging on aversion to sharing information that hindered their ability to “connect the dots” regarding imminent terrorist threats. The solution to the silos problem was to construct a unified National Counter Terrorism Center, a model that seems to be accepted and works as intended.
An emergency-call system for cyber-security attacks
Secondly, there is neither a set framework nor a single authority that currently exists for private sector entities under attack to reach out to government agencies for assistance in marshalling an effective defense, or even a meaningful investigation of an incident. In short, there is an immediate need to construct a national 911 emergency-call system for cyber-security attacks that would constitute a first line of defense in coordinating a timely and effective response.
The case for a multi-sector public private partnership
With the above recommendations in place, the United States would come closer to resolving some of its more vexing cybersecurity roles and authorities issues. With government and private sector specialists co-located and interacting on a daily basis, a credible national cyber defense, resulting from the sharing of information, would be significantly improved.
As McConnell recently remarked:
This core idea of a more open system, based on sharing and collaboration, was actually born in the wake of the 9/11 crisis. Then that philosophy came into conflict with the passion and penchant for secrecy that most if not all government agencies displayed, as is their nature, when faced with the typical and predictable struggles over turf and territory.
However, in the case of cyber threats, nearly all the critical infrastructure deemed most vulnerable to attack is owned by the private sector. That makes the case for a multi-sector public private partnership approach to the problem unusually very strong–even stronger, in some ways, than it would be for counter-terrorism.
Patrick Gorman, a former Assistant Deputy Director for National Intelligence for Strategy and formerly Chief Information Security Officer at Bank of America, summarized:
The core idea behind CISA is assuring an efficient sharing of technical, tactical and strategic information about active cyber-attacks and potential threats. We will need to rely on getting people from both the public and private sectors to come together as a team, with a shared goal and a common purpose.
The onus will be on us to create the conditions conducive to building up the human relationships and fostering the greater degree of trust between silos that will result in genuine information sharing and genuine collaboration.
The growing and increasingly complex cyber-threat requires the joint efforts of both the public and private sectors to keep the United States safe. CISA is a good beginning but it is only that, a beginning. It is now up to government and business leaders to work together to protect the interests of the American public.
Also on Forbes:
Mr. Rose also serves on a number of government, educational and corporate advisory boards as a cyber security expert.
This article was written by Capital Flows from Forbes and was legally licensed through the NewsCred publisher network.