Is America Building a Cyber Security Sand Castle?

William Crowell, former Deputy Director of the National Security Agency, helps explain how private sector efforts coupled with public sector policies can mitigate cyber threats

But the common call for partnership and sharing makes clear that these forums are not working as well or as broadly as legislators would like. Both public and private entities face major obstacles to sharing.

Public-sector officials cannot share sensitive information because of its sensitivity. “When so much information is treated as classified, we just can’t get the collaboration we need,” Tipton says. “(Federal officials) may tell you, but only on a need-to-know basis. That means there’s not much sharing of technology or ideas and there’s no integration between what goes on in government and private sector.”

Many private-sector organizations face legal obstacles to information sharing. “The Sherman Antitrust Act limits how much organizations who compete with each other can share,” Crowell says. “That one has been an issue in several of the private sectors, particularly financial. There have also been restraints imposed by the Freedom of Information Act, which says if a private organization gives information to the government, the government gets to decide whether the information gets released to the public. That poses some really difficult problems for much of private industry, because company confidential information and brand-damaging information could be released.”

In addition, many small and medium-sized businesses do not even understand why they should be part of the conversation at all. “Many small and medium businesses I have spoken to do not think they’re really at risk,” Payton says. “I have to explain that they could be used as part of a botnet, and that if they store credit card information from customers or social security numbers of employees, that’s valuable data to attackers.”

Symantec released the results of its 2009 Storage and Security in SMBs survey in April, which found that globally, a high number of small and medium businesses have not even taken basic precautions, such as implementing anti-virus software and backing up their data.

“Small and large companies need to recognize that cyber attacks are a constant threat and are many times conducted by foreign government intelligence agencies,” says Lynn Mattice. “Unless companies deploy sophisticated detection software, they do not realize they have lost trade secrets as a result of these attacks because they still have their information; it has simply been copied and sent back to be utilized by foreign competitors.”

“Another challenge for small businesses is that they can’t afford a CIO,” says Payton. “They think since they’re not in the tech business, it does not need to be a big concern. And I tell them, if you’re in business, tech is your business. Because if you use a PC or keep any electronic records, you need to understand your threats and vulnerabilities. If you can’t afford your own IT person, you should hire somebody to come in periodically and do a threat and vulnerability assessment. They can create a mitigation plan and train your staff on how to protect your company’s information and what needs to be done to protect your infrastructure.”

An Uncertain Future

As of this writing, it is unclear what will ultimately be done to improve public-private information sharing. The details of all the proposed plans have yet to be hashed out. Many harbor high hopes that a new advisory panel or cybersecurity czar will provide the focus needed to open up the lines of communication.

Whatever happens, says Payton, we must work to ensure that information is not only shared, but usable. “When we build this bridge of collaboration, we have to figure out how we’re going to filter all this shared data into actionable information for the public and private sector,” she says. “I believe there should be several avenues of communication and several forums that the private sector can use to network and collaborate with the public sector. There may be some groups or councils that need to be vertically focused for specific industries. In addition, emergency alerts regarding cyber threats need multiple levels of notification based on the level of alert. We need to facilitate bi-directional sharing between the government and private industry of core best practices and emerging threats. A combination of Web conferences, in-person meetings and white papers are different approaches to get that information shared in a way that is meaningful and actionable. It’s really about sitting down, negotiating what works by industry verticals and thinking through an appropriate communication plan.”