The President issued the Cybersecurity Executive Order during his State of the Union earlier this month. But some say the Executive Order doesn’t go far enough.
“The Executive Order was unprecedented and very wanted, but it is inherently limited in what it can do. The Executive Order can only tell the entities that are part of the executive branch, it can’t reach the legislative branch, independent agencies or the private sector. For that you need comprehensive legislation. Like the Cyber Intelligence Sharing and Protection Act (CISPA),” said Larry Clinton. Clinton is the President of Internet Security Alliance.
He told Chris Dorobek that in order for the national defense to actually be strengthened the country needs a stronger public-private sharing of cybersecurity intelligence.
“The Executive Order calls for greater sharing between public and private sectors. But how do you get people to do that? You probably need to provide incentives? The Executive Order can’t do that. What CISPA does is put in place a liability incentive for private entities to share information. Right now a lot of private companies are nervous about sharing information with the federal government. They are worried they will be sued or the information will be used against them. That’s why we can’t just have a cyber policy but we need actual legislation,” said Clinton.
The CISPA Controversy
“The original legislation that was introduced about a 1.5 years ago has been reformed fairly substantially. The version out now includes a number of civil liberty protections that were not in place originally,” said Clinton.
Protect the Networks
“The private sector has increased cybersecurity spending by 100% in the last five years. It went from $40 billion to $80 billion. The entire DHS budget is $54 billion. And only $1 billion of that budget is invested in cybersecurity. In order for the US to have a national cybersecurity defense we need to tap into their information,” said Clinton.
Crisis of Trust
“Unfortunately we have a crisis of trust with respect to sharing information. The government is concerned that if they let the private sector know about certain things then the cat will get out of the bag and the government won’t be able to chase down cyber crooks. We have to find a way to bridge the crisis of trust gap,” said Clinton.
What’s Shared?
“The sort of information that needs to be shared would be much better classified under CISPA. There is no need to share personal information like bank accounts. The sort of information that needs to be shared is much more in the technology department. What we’re talking about is dealing with indicators of particular threats so it should have nothing to do with individual rights. We need to narrow the focus of information sharing to the tech arena,” said Cllinton.
Will CISPA Pass?
“There is more of a reason for optimism than with earlier bills. This CISPA bill in the House is bi-partisan. There has been some maturation by Democrats and the White House to take a different approach to cybersecurity. It’s more about encouraging collaboration and cooperation rather than regulation and penalties,” said Clinton.
There are efforts coming from DHS, MITRE, and MANDIANT to make it easy to share information about attacks, the malware used, and the like. You might look at http://cybox.mitre.org/, both for information about CYBOX and for links to allied efforts, and at http://www.openioc.org/ for a similar effort from the private sector.