DHS to lead anti-cybercrime campaign

The private sector has been skeptical of DHS’s role in preventing cyberattacks. A January Senate report read that the department “struggles with its own information security;” and does not issue threat warnings “nearly as quickly” as private companies do. The report also noted that DHS failed to patch Transportation Security Administration servers, leaving biometric data on two-million Americans exposed. DHS is improving, Schneck said. “I think that DHS is still a very young organization, and every year I think we add new capabilities.”

Some privacy advocates think DHS might be the best option should the government lead cybercrime efforts. “The alternative to having DHS do the cybersecurity work is that a lot of user data is going to end up in the hands of a military intelligence agency,” said Greg Nojeim, a privacy advocate with the Center for Democracy and Technology. According to Nojeim, while the National Security Agency (NSA) is more competent, the agency also has a conflict of interest, he said. When NSA teams discover holes in software, they are not likely to inform the software maker; they instead leave the holes available so they can exploit them for espionage. “DHS doesn’t have that internal conflict of interest.”

Proposing its own alternative to government supervision of cyberattacks, Facebook has launched the ThreatExchange platform which allows corporate hacking victims to report and share cyberthreat data. Facebook Security Officer Joe Sullivan at a recent tech industry conference, asked attendees about the government’s initiative: “How do I do this sharing in a way that doesn’t undermine the trust I’m building with the people who use my service?”

Facebook does not provide cyberattack data to DHS and does not plan to participate in the federal cyber sharing initiative. Google and Yahoo also state that they do not have plans to share cyberthreat data with the federal government.

While DHS officials travel the country recruiting companies to join the effort, House Homeland Security Committee member Curtis Clawson (R-Florida) expressed the attitudes of many private sector entities at a Wednesday hearing. “I’m trying to imagine myself in the position of the CEO of a multinational corporation,” he said. “I’ve got stakeholders and data centers all around the world and a board of directors that’s not all Americans. I’ve got an enterprise resource planning system that I’ve worked for years to get integrated around the world. I accept that cybersecurity is important and that we’re dead if we don’t have it. But liability protections only help one of my stakeholders: the shareholder. My world is much more complicated than that. I’m being asked to tell my board that we’re going to start sharing data with the U.S. government, we’re still working out the details, but you’re going to have to trust us on what we’re going to share, even if you grew up in the Czech Republic or Russia where you’ve been spied upon your whole life. It feels to me like you all have got a tough sale.”