This article was originally published by The Hill.
Recently, the U.S. House of Representatives passed legislation that encourages the voluntary sharing of cyber threat and vulnerability information between the private sector and the federal government. The Senate is now considering which cyber legislation it should take up. However, not enough Senators have coalesced around a bill for it to succeed on a cloture vote – and action is needed to protect our critical infrastructure.
The House bill is a good first step to improving the nation’s level of cyber security. But the cyber intrusions into natural gas pipeline company computer networks that were publicized last week demonstrate the inadequacy of the House’s voluntary sharing approach. The intrusions began in December 2011, but there were only identified this March. In an era of light speed attacks, that was far too long. Systems could have been disrupted or damaged long before other companies knew what the threat was.
The major impediments to agreement on a bill are concerns about privacy and the regulatory burdens imposed on the private sector. On both of these issues, constructive solutions are available that would build upon the House bill. Indeed, there are ways to share information with the government while protecting privacy and to minimize regulatory burdens while implementing security improvements beyond those that the House considered.
With a voluntary sharing construct, a company struck by an Iranian cyber attack could still keep that information to itself, while the same malicious software is being deployed against companies and government agencies operating similar systems. In fact, malware is often tested against multiple third party networks before being deployed against its real target – making timely sharing all the more vital.
Companies that control critical infrastructure that could be disrupted by a cyber attack and result in serious consequences should be required to report intrusions and attempted ones to the government. With knowledge about cyber attacks, the government and private sector can work together to develop solutions to prevent intrusions into other networks, discover existing exploitations, and mitigate the consequences to compromised systems.
Some argue that new legal mandates on critical infrastructure would be burdensome and stifle innovation. This argument is based on the false premise that there is a choice between regulation and no regulation at all. Regulation is already here and for good reason: when cyber criminals attack corporate computer systems and steal customer data, 46 states have data breach notification laws that require the reporting of this loss to customers.
Unfortunately, intrusions that do not result in the loss of customer data do not have to be reported. The Federal Trade Commission requires companies that are hacked and lose customer data to comply with minimum cyber security standards under its regulatory authorities. Regulation is not new and has been in place for quite some time.
Regulation can take a variety of forms and is not necessarily burdensome. It can prescribe exactly how an entity must perform a function or spell out the broad outlines for the function and leave it to a company to determine how best to comply. Requiring information sharing would be a rather limited form of regulation. In addition to sharing information about an attack, limited regulation could also include mandatory internal network monitoring for anomalous activity in order to identify cyber attacks in progress, while not spelling out the exact method for doing so. Somewhere in between prescriptive regulations and no new requirements whatsoever, there must be room for negotiation.
To analyze and recommend ways to improve information sharing, the Bipartisan Policy Center has established a task force under the leadership of former CIA Director Michael Hayden and Mort Zuckerman.. The task force will release a report this summer on additional measures that would improve cyber security information sharing while protecting privacy.
Much better and timely intelligence about attacks against private sector networks, when combined with the government’s knowledge about cyber threats, could produce a level of situational awareness about our nation’s information technology infrastructure that would allow a government-private sector partnership to make decisions about how to respond to foreign cyber aggressors. This could include the use of offensive cyber tools that go after those attacking our systems. Given what is at stake, we must move well beyond the sporadic, voluntary cyber threat information sharing to robust cyber intelligence collaboration.
Strayer is director of the Bipartisan Policy Center’s Homeland Security Project.