The lack of cybersecurity continues to pose the biggest threat to the United States. Describing it “one of the most serious economic and national security challenges we face,” President Obama went on to issue Executive Order 13696, to Improve Critical Infrastructure Cybersecurity. This order led to the Enhanced Cybersecurity Services (ECS) program — which requires the Department of Homeland Security to offer critical infrastructure industries protections against a “potential catastrophic hack.” The success of the program is dependent on public-private information sharing regarding cyber intrusions.
The National Institute of Standards and Technology (NIST) was ordered to create a Framework for Improving Critical Infrastructure Cybersecurity. NIST’s first report, focusing mainly on homogenization of the format for reporting on cyber intrusions to the government was released on February 12, 2014.
While DHS boasts about its active collaboration “with public and private sector partners every day to respond to and coordinate mitigation efforts against attempted disruptions and adverse impacts to the nation’s critical cyber and communications networks and infrastructure,” only three of 16 critical sectors–energy, communications services, and the defense industrial base–are part of the program.
On August 11, the DHS Inspector General issued a report noting that “health care, banking and other key sectors at risk of cyberattacks” have yet to join the ECS program, which transmits confidential indicators of threats so that the Internet service providers of companies can update their network-protection systems. However, only two Internet/Communication Service Providers, AT&T and CenturyLink, have been authorized to receive classified information. When asked about the ECS, a representative of one of the critical industries responded, “We’re not familiar with the specific program.” Another source is quoted as saying “the threat indicators provided were redundant, formatting was not standardized, and a majority of the information provided was unclassified and available through other sources.”
DHS has promoted the program through media requests, public testimony and its website. However, it didn’t specify any benefit for participating in the program, or mention that the “security validation and accreditation process in order to participate in the program” can take more than eight months of dealing with government bureaucracy.
Of all industries, financial institutions are said to be the preferred target of hackers, as 95 percent of all ‘money’ is digital. According to Tom Kellermann, chief cybersecurity officer for Trend Micro: “More than 98 percent of bank heists occur in cyberspace and this is being exacerbated by mobile banking and the correspondent rise in mobile mugging. Financial institutions adhere to higher standards of security than other industries, however they are also targeted by the world’s elite hackers.” However, the ease with which financial institutions can be hacked poses a growing hazard to consumers whose identity is stolen while their accounts are breached. Armed with stolen identities, hackers go on to collect billions through health insurance, social security and other kinds of fraud.
Not surprisingly, public confidence in the nation’s cybersecurity undertakings is abysmal. A recent survey of 600 IT and information security executives who hold positions at electric, gas and water utilities, as well as at oil distributors, alternative-energy companies and chemical and industrial manufacturers conducted by the Ponemon Institute noted that only three percent of IT executives at utilities and other critical infrastructure businesses believe that federal security rules and standards decrease the threat to the digital systems running their operations. The report also found that this was not because those polled didn’t know about cyber standards developed by NERC and the National Institute of Standards and Technology. Some 57 percent were at least somewhat familiar with them. The problem is that directives and recommendations become outdated too fast to be of use. The cost of following government protocols was listed by a quarter of the respondents as the reason they do not comply.
The administration’s rhetoric on cybersecurity is met with the public’s reluctance to share information with the Executive Branch. On Capitol Hill, several bills have been introduced over the years, but none has been approved by the both the House and the Senate.
On June 8, 2014, S. 2588, the Cybersecurity Information Sharing Act (CISA), authored by Senator Diane Feinstein, was passed by the Senate. CISA “would essentially remove the legal restrictions that currently bar companies from sharing information with the government.”
On July 28, 2014, just before the summer recess, the House passed three cybersecurity-related bills: H.R. 3639 – “The National Cybersecurity and Critical Infrastructure Protection Act of 2014;’’ H.R. 3107 – “The Homeland Security Cybersecurity Boots-on-the-Ground Act;” and the fourth version of CISPA, H.R. 624 – “The Cyber Intelligence Sharing and Protection Act.”
These bills, which have yet to become laws, are intended to facilitate the much talked about public-private information sharing. However, they deal mostly with the privacy and liability issues involved. Private involvement remains voluntary and the government is put under no compulsion to share classified information with the private sector.
Yet the success of the public-private information sharing program is dependent on the trust of the public to share its private data with the government. A cybersecurity thought-leader, Dan Geer, Chief Information Security Officer at In-Q-Telart, does not trust the government’s pubic-private information sharing. “I don’t trust a situation where I have not only no control about its use, but no visibility about whether it is being used. Take electronic health records. We’re obviously going towards it in a big way. But I ask you, who owns the electronic health records?” However, if and when your information is breached, the government refuses to share that information (classified just because it has been collected by the government) with the public.
Until the government finds a way to safely reveal and share its information with the public, our vulnerability to cyber attacks will increase. One wonders what will it take for this administration to heed its own experts’ warnings that escalating cyberattacks are rapidly undermining our economic and national security. Any further delays would make it most difficult to diminish the threat, not to mention stay ahead of them.