Modern field guide to security and privacy

Opinion: Why cybersecurity needs a grass-roots solution

President Obama's Cybersecurity National Action Plan rightly aims to make digital security a higher priority. But Washington needs to work more with states and cities to boost awareness of cyberthreats and the adoption of best practices.

Kevin Lamarque/Reuters/File
President Obama spoke at the Summit on Cybersecurity and Consumer Protection at Stanford University in February 2015.

A year ago, I sat in a Stanford University auditorium packed with industry executives as President Obama signed a landmark Executive Order to "promote private sector cybersecurity information sharing."

Then, in December, he signed the Cybersecurity Act of 2015 and just last week he announced a Cybersecurity National Action Plan "with the goal of providing every American a basic level of online security." 

The president’s populist tone on cybersecurity marks an encouraging evolution in the administration's strategy, one that has no doubt been influenced by security breaches at big box retailers, health insurers, and a slew of federal agencies.

The cumulative effect of so many publicized incidents is beginning to impact the direction of our national policy, both substantially and rhetorically. The same North Korean attack against Sony Pictures that Mr. Obama diminished as a mere act of "cybervandalism" in December 2014 was cited last week by the White House among the justifications for the President’s $19 billion ask of Congress to bolster the nation’s cybersecurity.

As far as the domestic agenda goes, America's cybersecurity policy for that past several years can largely be summed-up by two-words: information sharing.

The aforementioned Cybersecurity Act outlines a voluntary mechanism for companies to share so-called "cyberthreat indicators" with the federal government. It includes pleasing provisions for companies to evoke limited liability protections, although a lot of the same protections are already afforded under the much less known Critical Infrastructure Information Act, signed over a decade earlier by President George W. Bush.  

In addition, the White House's Executive Order – the one from a year ago – calls for the creation nationwide organizations to "promote private sector cybersecurity information sharing."

The Information Sharing and Analysis Organization (ISAO) Standards Organization, of which I am a member, tasked with developing information sharing standards, met in San Antonio last week to hash the many thorny issues dividing regulators and industry on this topic. 

Despite all of this progress, cyberthreat information sharing remains challenging, and its contribution to America's overall cybersecurity appears dubious. 

The first challenge is forming a community of trust. Trust is as much about technology and process as it is about people, and the latter two components demand expertise and money, which is why few small businesses or local governments engage.

The next challenge is building a network of equally willing and capable sharers. Adm. Jim Stavridis, former Supreme Allied Commander of NATO and the dean at the Tuft’s Fletcher School of Law and Diplomacy, rightly analogizes this exchange network to a "marketplace for cyber threat data," where data is the "currency" that sharers invest in return for reducing their risk. 

In this respect, perhaps the highest barrier to entering this marketplace is achieving the capacity to trade. Whereas recently legislation is aimed at increasing the pool of willing sharers, effective information sharing still demands a robust collection and dissemination platform to "mint" the currency, grow the volume of shares, and then engage in high-frequency trading.

In New Jersey, for example, we employ a complex infrastructure to detect indicators of compromise — or signs of an attack — on a daily basis across dozens of state agencies. As soon as our own systems are immunized, we disseminate our intelligence to trusted parties using automated processes and secure virtual connections, all after applying analytical tradecraft to vet the data and enrich its value to our customers.

The answer to the all-important question behind cyberthreat information sharing – What’s in it for me? – is different for industry and government. For the private sector, information sharing is a means to an end, one defined by risk management and ultimately, their bottom line. For government, information sharing is the end, making them inherently incentivized. On the other hand, industry’s cost-benefit calculation is more nuanced and often conflicted. In many cases, information sharing, especially with the government, presents more risk to industry than the threat itself.

Information sharing is a critical pillar of American cybersecurity policy and the US should look to build on the progress of the last few years. But protecting our citizens, businesses, and governments from the threats of the Digital Age demands a more multifaceted approach with strict division of labor between industry and government, to include federal, state, and local. Our experience over the past several years demonstrates a need to diversify government’s role in cybersecurity beyond information sharing. After all, the greatest successes of cyberthreat information sharing involve sector-specific constructs with little to no government involvement.

The president’s Cybersecurity National Action Plan rightly aims to "raise the level of cybersecurity across the country." To do this, we should address the weakest links in our cybersecurity chain. As its chief executive, the federal government is and should be the president’s first priority, but a national strategy requires robust coordination with states and strategic localities to address the most vulnerable in America’s cyberspace. From basic network security to information sharing, incident response, and cybercrime investigations, states have the potential to be the rising tide that lifts all boats.  

For starters, the federal government should work with states and major urban areas to increase public awareness of cyberthreats and the adoption of best practices. Public awareness is less about enhancing information sharing than it is about expanding access. Until we begin to commoditize certain types of cyberthreat intelligence and expand its availability to the general public, industry, and researchers, barriers to entry for even novice hackers will remain too low to reverse the constant exploitation of our cyberspace.

The president’s latest Executive Order calls for the establishment of a Commission on Enhancing National Cybersecurity. Once that's done, recognizing the role of states should be near the top of the docket. 

Dave Weinstein is a cybersecurity fellow at New America and the director of cybersecurity for the State of New Jersey. Follow him on Twitter at @jerzcyber.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.