In the midst of ongoing, escalating and increasingly troublesome reports of large-scale corporate cyber breaches, the federal government is trying to fight back more forcefully with a dual strategy to shore up agency capability and exchange information with industry in a “shared mission.” Recently, it added five newly enacted cybersecurity laws to its arsenal – or mitigation squad. Their purported goal: to improve the government’s capability to thwart and limit future attacks. The laws generally seek to:
This latest round of legislative tweaks, however, is but one component of a more comprehensive approach that includes executive action and solicits industry participation – and disclosure.
In the Cybersecurity Summit that the White House convened at Stanford University last Friday, President Obama acknowledged the government’s inability by itself to combat cybercrime in a quickly escalating “cyber arms race.” That critical infrastructure and so many computer networks reside in the private sector – outside of government – was the reason given for the necessity of a proposed private-public sector partnership. While recognizing the ingenuity of many American companies he asserted that they often lacked the means to fend off a cyberattack, the “situational awareness” or the ability to immediately warn other companies and coordinate a defense with other companies or within the same industry. By contrast, government was portrayed as more often receiving the most current information on impending harm – warnings that could be rendered more effective with relevant information from companies or sectors. (Last week a new monitoring collaboration was announced: DHS would house a center where designated government and business delegates monitor cyber threats around the clock.)
The bottom line Administration strategy: to enlist the help and cooperation of the private sector in joining the government on a “shared mission” and “share appropriate information as true partners.” To further that goal, President Obama signed an executive order to facilitate the government’s release of classified information about cyber threats to companies and promote the sharing of information between companies and industries through organizational hubs. For example, a company’s recognition of a particular malware or a suspicious virus and subsequent warning could thwart a large-scale cyberattack. Formulating a common set of standards that encompasses safeguarding privacy and civil liberties was a component of the order. Participation in the program will be voluntary, however.
The proposed joint venture of government and business continues, however, to highlight the tension – and, in many corporate circles, the mistrust – of the government to honor company privacy rights and individual personal information. President Obama acknowledged the inherent tension and the difficult process of finding a way to uphold individual liberties and privacy while safeguarding national security interests in its quest to beat back cyber threats. In an effort to assuage those concerns, he said that it was not appropriate or even possible for the government to secure computer networks of private business. Other protective measures proposed:
In this ”wild, wild West” of the cyber world, a torrent of catch-up initiatives recently has been taking hold and new measures will continue to be proposed. Ongoing and new overtures by the federal government for cooperation and openness in the private sector will be made with increasing urgency. And along with the objectives of protecting national security, U.S. citizens, personal information and corporate commercial assets – in finance, manufacturing and health care, among other industries – will be the heightened challenge of doing so while protecting individual liberties and the right to keep one’s own personal information private from both hackers as well as the government, even when the reasons are well-intended.
* The individual cyber laws and legislative proposals will be discussed in greater detail in subsequent postings.