As the 114th Congress convened here in the US, the Obama administration was looking for a less partisan issue it could promote in the face opposition party control. Cybersecurity on its face has the illusion of being nonpartisan, the realm of technical experts. Yet history has proven that the partisan and ideological divides can be just as profound when it comes to addressing the nation’s cyber vulnerabilities.
Since 2011, the Obama administration and its representatives have touted cyber threat information sharing as a means to achieve a more secure cyberspace, and by extension strengthen national security. But, whether Congress is friend or foe to the administration, there has been little action on the cyber front.
This stagnation required Obama to sign an executive order in 2013 establishing a voluntary framework creating cybersecurity standards for critical infrastructure. Once again the president has resorted to an EO to create a voluntary information sharing network among private sector organizations, in addition to establishing a federal agency to coordinate threat intelligence within the government. Both of these moves came within days of each other in February, but many experts wre skeptical that either would have significant effects on enhancing cybersecurity.
Comprehensive cybersecurity legislation has been as successful as a search for purple unicorns. Instead, it has required a piecemeal approach that kicked off last year when Obama signed the critical infrastructure executive order. This year has started with congressional efforts to examine data breach notification, but the last jewel in the cyber crown – information sharing – has remained elusive across the last three presidential administrations.
The new push started Feb. 10, when Lisa Monaco, the president’s assistant for homeland security and counterterrorism, announced in a speech the creation of the Cyber Threat Intelligence Integration Center (CTIIC). Earlier that day a senior administration official told Reuters the center would “connect the dots between various cyber-threats to the nation so that relevant departments and agencies are aware of these threats in as close to real time as possible.”
Monaco told the Washington Post the new agency would coordinate cyber threat intelligence across government agencies and modeled on the National Counterterrorism Center established after the 9/11 terrorist attacks. An analysis by NextGov revealed the CTIIC would be overseen by the Office of the Director of National Intelligence with a budget of $35 million. The new agency and its budget would bypass congressional approval based on the authority granted to the president under the 2004 Intelligence Reform and Terrorism Prevention Act.
Later that week on Feb 13, the White House Summit on Cybersecurity was held at Stanford University. Here the president signed an executive order on “Promoting Private Sector Cybersecurity Information Sharing.” The order, which carries the effect of law within the federal government only, aimed to establish cyber threat information sharing organizations within the private sector, “to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis.”
A shared mission - please?
“This has to be a shared mission,” Obama said in his remarks. “Government cannot do it alone, and the private sector cannot do this alone either. There’s only one way to defend America….government and private sector working together as true partners.”
So with a simple memo and the stroke of a pen, the president made unprecedented strides to promote the sharing of cyber threat intelligence both within the federal government and between private sector organizations. From industry to industry, from non-profit to non-profit. Up to the government, and back down into the private sector, critical information on cyber threats will flow like never before. But will it really, and if so, would such a framework even be desirable?
While some former counterterrorism officials like Richard Clarke called the creation of the CTIIC a positive move that’s long overdue, others like Melissa Hathaway, former White House cybersecurity coordinator, said the new agency was simply another unnecessary level of government. She noted that the government already has several groups dedicated to monitoring and analyzing cyber threat data: the Department of Homeland Security (DHS), FBI, and NSA all have cyber operation centers.
“We should not be creating more organizations and bureaucracy”, Hathaway told the Post, adding that “We need to be forcing the existing organizations to become more effective – hold them accountable.”
Bruce DeGrazia, president of GHS Advisors, and a former Assistant Deputy Undersecretary of Defense, seems mildly amused by the creation of the CTIIC. This is especially true when reflecting on the administration’s reference to ‘connecting the dots’. “I thought that’s what our director of national intelligence was supposed to be doing”, he commented.
He recalls a huge criticism after the 9/11 terrorist attacks was that intelligence agencies were so siloed they did not communicate with each other, “and that was one of the reasons there is supposed to be a Director of National Intelligence that deals with all these issues,” he tells DatacenterDynamics. Yet the new CTIIC will sit underneath the director in the same agency – “giving responsibility to the person who was supposed to be doing it in the first place,” DeGrazia says.
Richard Stiennon is chief research analyst with IT-Harvest, and a renowned security expert who specializes in privacy matters. He questions the entire push for information sharing and whether it would be useful.
“You can’t take every agency’s attack data and just push it over to a central point,” he observes when talking about the CTIIC’s function. He says there is simply not enough manpower to sift through this data, let alone coordinate what is truly useful to other government agencies and the private sector.
“Members of Congress and the president act as if all we need is information sharing and then the problems will be solved, which was certainly true about 9/11. But on the IT security side, information sharing is done automatically by practically every security product that’s deployed,” he explains. In this system, threat intel flows from one vendor’s products into another – “and that’s effective information sharing that protects millions of people and organizations.”
Centralization versus privacy
Stiennon laments any centralization of the process as being detrimental to both privacy concerns and the overall goal of enhancing cybersecurity. “There is already this beautiful infrastructure built toward information sharing in IT security, and just about everyone participates in it,” he asserts. “Now the defense-industrial base, and critical infrastructure, which historically do not do a good job of applying security, think all they need is the right information.” Most of the time what happens, he claims, is that government agencies like the FBI provide a mountain of information without context, which is mostly useless to the recipient.
“I think it’s a proactive and far-seeing idea”, says Greg Novak, principal research analyst with the Information Security Forum (ISF). His contrarian view is drawn from a cyber threat landscape that comprises many actors, sometimes intertwined: single state, not-state, criminal, and ideological. Yet often the government’s cyber threat investigation capabilities are divided along these very lines within separate agencies.
“The ability to coordinate this information will increase national security and cybersecurity for the private sector”, he predicts. Novak provides the Sony Pictures breach publicized in November of last year as an example. “Here we have a state actor attacking a private organization within the US, and there are elements of both criminal and ideological within it,” he notes. “Trying to figure out which government agency should handle response is not exactly clear, but sharing information among all of them would have been useful”, both before and after the attack, Novak explains.
The effectiveness of the EO on information sharing has just as many questions. To be clear, anyone who spoke to DatacenterDynamics clearly agreed that, as it seeks to create “voluntary” Information Sharing and Analysis Organizations (ISAOs) across industries, no company will be required to join or share information. Further, as DeGrazia explains, an executive order lacks the teeth of legislative regulatory action.
“All an executive order can do is direct the federal government to do something, or not do something. It has no effect outside the federal government – Congress has to do that,” he tells us.
“I hate to be cynical”, DeGrazia adds, “but we will need to suffer some type of cyber attack that significantly impacts critical infrastructure before Congress will do anything.”
What an Executive Order can’t do
The EO can’t create the ISAOs, and the executive branch can only encourage them through the DHS. Further, DeGrazia says, if the private sector does not support it, then the initiative will wither away like previous legislative proposals on cybersecurity information sharing. “It’s all voluntary. That all being said, it is in the interest of the private sector to form these organizations because they may well have access to threat to information they may not otherwise have access to,” he points out.
Both Novak and Stiennon see any centralized involvement by government as a non-starter for industry. “After the Snowden revelations, people are wary of sharing any sort of information with the federal government, and in particular multi-national organizations that have foreign operations would see it as a liability. Unfortunately, the government has its own reputation to overcome,” Novak concludes.
Stiennon sees the effort as redundant and just one small component of combating cyber threats, “especially given that hundreds of these information sharing organizations already exist,” both formal and informal.
“We are already aware of the intelligence agencies issues with privacy violations, so centralizing just gives them access to more information to mine – ostensibly to track down bad guys – but opening up to more misuse,” he warns. “There is an issue of trust in that organizations will not want to share information one way with the government, or a government-backed organization. If people perceive that you are giving the government anything in the way of what may be personal data, then it may cost you customers.”
The analyst says talk about information sharing misses the point entirely and deflects focus from addressing the nation’s most glaring cyber vulnerabilities. “Regardless of how perfectly information sharing is rolled out and supported by the government, it won’t do a thing to slow down the pace of successful, targeted cyber attacks,” he predicts. “These developments are counterproductive in that they do not address the core issue.”
Instead, Stiennon says the government should engage in some introspection, instead of setting its sights on the private sector with voluntary frameworks.
“The fact is that most government agencies or public-private partnerships like utilities are the most vulnerable because they have not invested adequately in security,” he concludes. “If we want to promote greater cybersecurity and national security, then every government agency should embark on a program to catch up to where private enterprise is today.”