WASHINGTON—The Obama administration’s cybersecurity proposals intended to protect the nation’s critical infrastructure through public-private partnerships don’t go far enough, expert say, and recommend alternative measures to address cybersecurity threats, especially to private companies.
At a Passcode & Center for National Policy event on Feb. 19, Phyllis Schneck, chief cybersecurity official for the Department of Homeland Security, declared having industry standards is paramount for cybersecurity risk management and stressed that private sector engagement and awareness are at the core of exposing future cyber threats.
“The past year has been very, very enabling, legislatively,” Schneck said. Schneck discussed how recent cybersecurity legislation, specifically the Federal Information Security Modernization Act of 2014, has clearly defined DHS’s role in collecting cybersecurity threat information and protecting federal civilian agencies.
“We lost a lot of time in going in to protect those agencies because legally it wasn’t actually clear,” Schneck said. “We were working from a patchwork of different pieces of different laws.”
President Barack Obama signed an executive order on Feb. 13 that set DHS as the epicenter for information sharing about cyber threats and centralized the federal government’s efforts to strengthen collaboration between the public and private sectors.
The National Institute of Standards and Technology—NIST—launched a voluntary cybersecurity framework in 2014 that would serve as a guide for businesses to use a common language to implement best practices when dealing with cybersecurity risks.
Paul Tiao, a partner at Hunton & Williams and previously senior counsel for cybersecurity and technology to the director of the FBI, said companies need flexibility when dealing with the ever-evolving cybersecurity threats.
Tiao emphasized that companies that had complied with guidelines mandated by NIST were less focused on reduction of cybersecurity risks.
Certified as compliant with the regulations, Target still suffered from a data breach after hackers broke into their system and stole credit card and personal information from 70 million customers. The data breach cost them $162 million.
“Just because you’re compliant with a regulation doesn’t mean you’re secure,” Tiao said.
Tiao added that companies need to embrace the reality that a cyber incident “is an inevitability and not just a risk.” He suggested companies need to concentrate on monitoring potential threats and systematically identifying and cataloguing sensitive data.
“We just can’t build a high enough wall to block all the hackers,” Tiao said.
Panelists at the event echoed Tiao’s sentiments and noted that although information sharing does have some value in preventing cyber attacks, it is not the “silver bullet.” They said companies, instead, must practice good coding and basic digital hygiene.
“Part of the point is to prevent attacks from cascading from company to company,” said Harley Geiger from the Center for Democracy & Technology, who spoke on the panel. “But it would be far more valuable to those companies not to be vulnerable in the first place.”
The Center for Strategic International Studies reports every year up to half a trillion dollars—almost a billion dollars a day—are lost as a result of cyber crime.
“While cyberspace has been identified as a major area of concern by the federal government for years, the number and impact of recent attacks on major U.S. corporations has been widely reported only recently,” said Andrew Berene, federal chief strategist at IBM for i2 intelligence, who spoke at the event.
Berene hopes companies can become more “proactive” in their future cyber approach in order to disrupt attacks “before the damage is done and the headlines are written.”
“We’ve too frequently seen organizations picking up pieces after yet another major cyber attack or breach,” Berene said.
Looking forward, DHS plans to push several awareness campaigns that would incentivize companies to take on the new industry standards.
“We’ll find ways to innovate, work together and leverage public and private sector resources to protect our commerce, our way of life and our personal lapse,” Berene said. “Stakeholders from business and governments are already thinking, acting and adjusting as needed to reduce risks in cyberspace for Americans.”