A year ago, I sat in a Stanford University auditorium packed with industry executives as President Obama signed a landmark Executive Order to "promote private sector cybersecurity information sharing."
Then, in December, he signed the Cybersecurity Act of 2015 and just last week he announced a Cybersecurity National Action Plan "with the goal of providing every American a basic level of online security."
The president’s populist tone on cybersecurity marks an encouraging evolution in the administration's strategy, one that has no doubt been influenced by security breaches at big box retailers, health insurers, and a slew of federal agencies.
The cumulative effect of so many publicized incidents is beginning to impact the direction of our national policy, both substantially and rhetorically. The same North Korean attack against Sony Pictures that Mr. Obama diminished as a mere act of "cybervandalism" in December 2014 was cited last week by the White House among the justifications for the President’s $19 billion ask of Congress to bolster the nation’s cybersecurity.
As far as the domestic agenda goes, America's cybersecurity policy for that past several years can largely be summed-up by two-words: information sharing.
The aforementioned Cybersecurity Act outlines a voluntary mechanism for companies to share so-called "cyberthreat indicators" with the federal government. It includes pleasing provisions for companies to evoke limited liability protections, although a lot of the same protections are already afforded under the much less known Critical Infrastructure Information Act, signed over a decade earlier by President George W. Bush.
In addition, the White House's Executive Order – the one from a year ago – calls for the creation nationwide organizations to "promote private sector cybersecurity information sharing."
The Information Sharing and Analysis Organization (ISAO) Standards Organization, of which I am a member, tasked with developing information sharing standards, met in San Antonio last week to hash the many thorny issues dividing regulators and industry on this topic.
Despite all of this progress, cyberthreat information sharing remains challenging, and its contribution to America's overall cybersecurity appears dubious.
The first challenge is forming a community of trust. Trust is as much about technology and process as it is about people, and the latter two components demand expertise and money, which is why few small businesses or local governments engage.
The next challenge is building a network of equally willing and capable sharers. Adm. Jim Stavridis, former Supreme Allied Commander of NATO and the dean at the Tuft’s Fletcher School of Law and Diplomacy, rightly analogizes this exchange network to a "marketplace for cyber threat data," where data is the "currency" that sharers invest in return for reducing their risk.
In this respect, perhaps the highest barrier to entering this marketplace is achieving the capacity to trade. Whereas recently legislation is aimed at increasing the pool of willing sharers, effective information sharing still demands a robust collection and dissemination platform to "mint" the currency, grow the volume of shares, and then engage in high-frequency trading.
In New Jersey, for example, we employ a complex infrastructure to detect indicators of compromise — or signs of an attack — on a daily basis across dozens of state agencies. As soon as our own systems are immunized, we disseminate our intelligence to trusted parties using automated processes and secure virtual connections, all after applying analytical tradecraft to vet the data and enrich its value to our customers.
The answer to the all-important question behind cyberthreat information sharing – What’s in it for me? – is different for industry and government. For the private sector, information sharing is a means to an end, one defined by risk management and ultimately, their bottom line. For government, information sharing is the end, making them inherently incentivized. On the other hand, industry’s cost-benefit calculation is more nuanced and often conflicted. In many cases, information sharing, especially with the government, presents more risk to industry than the threat itself.
Information sharing is a critical pillar of American cybersecurity policy and the US should look to build on the progress of the last few years. But protecting our citizens, businesses, and governments from the threats of the Digital Age demands a more multifaceted approach with strict division of labor between industry and government, to include federal, state, and local. Our experience over the past several years demonstrates a need to diversify government’s role in cybersecurity beyond information sharing. After all, the greatest successes of cyberthreat information sharing involve sector-specific constructs with little to no government involvement.
The president’s Cybersecurity National Action Plan rightly aims to "raise the level of cybersecurity across the country." To do this, we should address the weakest links in our cybersecurity chain. As its chief executive, the federal government is and should be the president’s first priority, but a national strategy requires robust coordination with states and strategic localities to address the most vulnerable in America’s cyberspace. From basic network security to information sharing, incident response, and cybercrime investigations, states have the potential to be the rising tide that lifts all boats.
For starters, the federal government should work with states and major urban areas to increase public awareness of cyberthreats and the adoption of best practices. Public awareness is less about enhancing information sharing than it is about expanding access. Until we begin to commoditize certain types of cyberthreat intelligence and expand its availability to the general public, industry, and researchers, barriers to entry for even novice hackers will remain too low to reverse the constant exploitation of our cyberspace.
The president’s latest Executive Order calls for the establishment of a Commission on Enhancing National Cybersecurity. Once that's done, recognizing the role of states should be near the top of the docket.
Dave Weinstein is a cybersecurity fellow at New America and the director of cybersecurity for the State of New Jersey. Follow him on Twitter at @jerzcyber.