Modern field guide to security and privacy

Opinion: Why the 'cyber bill' falls short on protecting critical networks

The Cybersecurity Information Sharing Act is missing a key component needed to strengthen America's digital defenses – transparency into what the government itself is doing or not doing to protect its networks from hackers.

Carolyn Kaster/AP
Senate Majority Leader Mitch McConnell of Kentucky, center, is among the strongest supporters in Congress of the Cybersecurity Information Sharing Act. He told reporters on Tuesday that the bill may pass as early as next week.

There's a lot of talk in Washington lately about the need to secure our national cyberinfrastructure following the massive data breach at the Office of Personnel Management.

Lawmakers are under pressure to show progress on anything "cyber," but little has been done. One step in that direction was outlined in President Obama's Executive Order 13691, "Promoting Private Sector Cybersecurity Information Sharing." But this week senators are debating a more formal step known as the Cybersecurity Information Sharing Act (CISA), a bill that could be put to a vote as early as next week.

CISA is a good idea in principle, provided that privacy concerns are addressed. The bill, however, is focused on private sector information sharing, which is only a small part of the problem. Sharing information to protect private businesses is important, but in many cases it will not prevent a breach. In the wake of OPM and other breaches, we should also look at the security at federal agencies.

Legislation that increases the transparency of federal cybersecurity programs would be a welcome addition to the CISA discussion.

Placing too much emphasis on sharing threat information – or indicators, as the industry calls them – could cause the private sector to overlook fundamental cyberhygiene. According to OPM testimony, it was a lack of hygiene – not knowing what devices were on the network, failing to manage and protect user access, and out-of-date or unpatched systems – that lead to their breach. Sharing indicators will never replace a strong security program built on the fundamentals and could easily lead to a false sense of security.

We learned a lot from the OPM breach about the overall shoddy state of federal cyber security, but this isn’t surprising when you look at the numbers. The federal IT budget is roughly $80 billion, with about $13 billion (16 percent) earmarked for security. Sixty-eight percent of that $13 billion goes to the Department of Defense. That leaves just $4 billion to split among all other federal agencies. This is comparable to the average budget allocation for a private company (5 percent), but here that money is split among dozens of agencies across the federal government.

Simply spending more money doesn’t automatically make you more secure, but if the US government wants to keep the nation secure and protect Americans' private data, it must invest more in cybersecurity outside of the DoD.

Agencies must have appropriate procedures in place for testing security effectiveness. They need to do more than just watch the perimeter or share indicators. Agencies should be continuously monitoring and assessing overall network security status in real time.

Success may mean hiring more cybersecurity experts, and/or investing in tools to detect and remediate network vulnerabilities with fewer personnel. The security industry is experiencing a severe talent drought, so competition for top performers is intense. At the same time, good tools cost money; however the return for the right tool is often worth the initial cost.

If the federal government wants to demonstrate a serious commitment to cybersecurity, it should increase transparency about successes and potential improvements. It is not enough to conduct public postmortems and play Monday morning quarterback after a breach. Communication and transparency must be increased around the security status of critical networks and national cyberdefenses. This is an opportunity for the federal government to take the lead and set an example for others by disclosing specific details and the best practices of its cybersecurity programs.

Federal agencies already report some cyberinformation under the Federal Information Security Management Act (FISMA), but this should be looked at as a starting point. The government could share even more information without helping potential attackers. It could reveal the type of technologies it deploys, its strategic goals and objectives, vulnerability patch rates, or antivirus and firewall effectiveness. Such transparency increases accountability and focuses more attention on the techniques, defenses, and controls in place than on chasing threat indicators. Agencies could look to each other for examples of what works and what does not work.

Sharing defensive cybersecurity information is not a danger to national security. Not sharing this information is what the industry calls "security through obscurity" and it is not considered a good security strategy. Sharing defensive cyberinformation is confirmation that taxpayer resources are well spent and deployed effectively. Sharing this information would allow the government to pivot from pointing fingers and focusing on failures to looking at what works and focusing on success. Millions of American citizens have already been harmed; citizens have a right to know more about what is going on inside government agencies that keep them safe.

This is the kind of cybersecurity information sharing legislation we need – real transparency, not the opaque transmission of threat data between big companies and top-secret agencies.

Information sharing can be a powerful tool for cyberdefense, but we need to make sure we are sharing the right information. We are all on the same Internet, how we keep it safe is up to all of us. Transparency strengthens everyone, costs us nothing, and will create a competitive cooperation among federal agencies that will benefit not just the agencies themselves, but also the American public at large.

Ron Gula is a former National Security Agency researcher and intrusion detection specialist turned chief executive officer of Tenable Network Security. Follow him on Twitter @rongula.


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Opinion: Why the 'cyber bill' falls short on protecting critical networks
Read this article in
QR Code to Subscription page
Start your subscription today