CybersecurityEfforts to improve cyber information sharing between the private sector, government
Lately, Obama administration officials having been venturing West to encourage tech firms to support the government’s efforts to improve cyber information sharing between the private sector and government agencies. The House of Representatives last week passed two bills to advance such effort. The Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act of 2015 authorize private firms to share threat data such as malware signatures, Internet protocol addresses, and domain names with other companies and the federal government. To the liking of the private sector, both bills offer companies liability protection for participating in cyberthreat information sharing.
Lately, Obama administration officials having been venturing West to encourage tech firms to support the government’s efforts to improve cyber information sharing between the private sector and government agencies. The House of Representatives last week passed two bills to advance such effort. The Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act of 2015 authorize private firms to share threat data such as malware signatures, Internet protocol addresses, and domain names with other companies and the federal government. To the liking of the private sector, both bills offer companies liability protection for participating in cyberthreat information sharing and they contain provisions that permit government agencies to share data with each other but not with the National Security Agency (NSA) or the Pentagon.
At a meeting during last week’s RSA Conference, White House cybersecurity czar Michael Daniel speaking on a panel with Amit Yoran, president of the security firm RSA, told attendees that recent major breaches on companies such as Sony Pictures and health insurer Anthem, have made information sharing a national priority for President Barack Obama. “Increasing the amount of information flow between the government and the private sector, and between companies in the private sector, is a critical foundational element,” said Daniel at the event hosted by security company Invincea and Passcode. “It’s a necessary … component of getting better at confronting the cyberthreat.” The proposed House bills are a step forward in a bipartisan effort to protect the country’s computer networks and consumer data, Daniel said.
According to theChristian Science Monitor, tech firms and the cybersecurity industry are skeptical about the government’s proposals on information sharing. Some argue that such formal arrangements are unnecessary considering the sharing that already goes on within the industry. Others are still concerned that consumer information will somehow get in the hands of the NSA, despite the provisions in the House bills. Some tech and cybersecurity firms simply do not believe that they will get useful information back from the government in exchange for the information they provide. Yoran congratulated the government, saying its efforts were a “net positive step in the right direction,” but “I don’t think security breaches are stoppable in the current computing paradigm.”
The government is committed to understanding the needs of the private tech sector and recently announced the opening of permanent outposts in Silicon Valley. Both the Pentagon and DHS will soon open offices in the area, but how far these efforts will convince the tech industry to cooperate is yet to be seen. The House bills will have to be consolidated and sent to the Senate as a single bill, and even if it passes, the private sector will remain skeptical about its effectiveness. One concern among tech firms is that if a company knows about a potential threat and fails to act fast enough, will it find itself in a legal fight over a data breach? In addition, will cybersecurity firms lose their advantage when they share their own intelligence about cyberthreats with the government? Will their competitors receive that same intelligence via information sharing?
“We’re not looking to cannibalize that, put anyone out of business, or compete,” Phyllis Schneck, DHS top cybersecurity official, said at last week’s event. “We want you to grow, we want you to make a lot of money because more money leads to more innovation.”
Cybersecurity industry analysts say the success of the government’s efforts on data sharing will largely depend on whether Section 215 of the U.S.A Patriot Act, which permits law enforcement and intelligence agencies to collect certain customers’ records from U.S. businesses including communications and credit card firms, will be reauthorized when it expires on 1 June. The upcoming debate on reauthorization will further fuel privacy concerns in the tech sector.
