The Department of Homeland Security’s top cybersecurity official says hackers and rogue nations targeting the country’s critical infrastructure and businesses will “stop dancing in the streets” if the Obama administration’s plan to share information on cyberthreats succeeds.
If the companies start sharing more information with each other and the government about the threats they face, it will give them an advantage over their attackers, Phyllis Schneck said an event on Thursday hosted by Passcode and the Center for National Policy. Information-sharing, she said, is “the one thing [adversaries] can’t do.”
Ms. Schneck’s remarks came just days after President Obama announced an executive order to encourage information-sharing. Mr. Obama has also called on Congress to pass legislation that would make DHS the central repository for that information coming from the private sector.
Despite Schneck’s enthusiasm for the program, however, prominent security and privacy experts were more cautious, raising concerns about whether information sharing legislation was actually necessary and how to best protect personal data once it’s shared with the government.
Here are some key takeaways from the event:
One year after the Obama administration rolled out the country’s first cybersecurity standards to protect critical infrastructure, it’s “tricky” for the government to see how companies or individual sectors are progressing, Schneck said. One counterintuitive way to assess progress: If the threats they see are getting more sophisticated. “That means we’ve wiped out some of the bottom feeders” – attacks that could have been more easily avoided.
In the panel discussion, director of the SANS Institute John Pescatore says the “reality” is that many industries, such as the financial sector, have their own ways of sharing information. A cyberincident response team to investigate breaches and share lessons learned with the community to prevent similar attacks in the future, Pescatore said, would be better than “yet another agency” pooling threat information.
The Center for Democracy and Technology’s Harley Geiger wants to make sure there are strong limitations on the kind of information companies can share with the government, and hard limits on how law enforcement can use it. The Obama administration, Geiger said, so far has set “pretty reasonable” limitations: Computer crimes, threats of death, sexual exploitation of minors. “But if it is open for general law enforcement use, then it essentially becomes a giant backdoor wiretap,” he said.
Companies, he later added, should not have to choose between being vulnerable to attacks and sharing personal information with the National Security Agency.