DOD info-sharing program to expand under order
In the days since President Barack Obama released his executive order on cybersecurity, active discussion of the measure's moving parts, implementation and potential impact has been unfolding. One area central to the order -- and to federal cybersecurity in general -- is information sharing among government, industry and other stakeholders.
Information sharing is explicitly targeted in the executive order, particularly through the mandated expansion of the Enhanced Cybersecurity Services program. When it was launched in 2011 as the Defense Industrial Base Cyber Pilot, the effort involved fewer than a dozen defense contractors testing ways for the government to share attack signatures for identifying threats to defense contractors’ networks.
The cyber pilot later expanded to include more companies, and in 2012, the Department of Homeland Security assumed an active role in the program and took over essential communications with Internet service providers.
Now the program is being enlarged to a governmentwide initiative that seeks to better secure the networks of agencies and private companies, including those that manage critical infrastructure, against cyber-borne threats.
"The initial impetus in the DIB Cyber Pilot was a proof of concept," said William Lynn, former deputy secretary of defense and now CEO of DRS Technologies. "It was to show there could be a public/private partnership and that we could get through the policy and legal thickets to allow this information sharing. We wanted to prove the construct could work and could be applied to a much broader set of government agencies and, in some cases, smaller organizations with less capable cyber defenses. The use of the example by the president in his executive order shows that it was a success."
The original pilot program focused on government agencies within the Defense Department and the intelligence community sharing known threat signatures with participating companies. The companies could then use that information to look for malicious activity on their own networks. The program was criticized -- most notably in a Washington Post report -- for relying too heavily on signature-based defenses, which can be of limited effectiveness and are only one of many tools that should be used.
"The government signatures that were provided added some to companies' defenses," Lynn said. "It wasn’t as big of a game-changer for some of the larger companies, which had cyber capabilities of their own, as it might have been for smaller companies with less capable defenses. And that's where it's being expanded to and where the president's executive order is taking it."
Nevertheless, because it lacks the power to create new regulations or change existing laws, many experts say the executive order will not lead to sweeping cybersecurity action.
Lynn, who helped launch the cyber pilot program and DOD's 2011 Strategy for Operating in Cyberspace, is quick to note that neither the information-sharing effort nor the executive order will be enough to comprehensively tackle cybersecurity at the federal level. Top government officials, including Lynn and Obama, have repeatedly called on Congress to enact thorough cybersecurity legislation that can go further than an executive order.
"The EO deals a lot of with government-to-private-sector sharing because that's what the president can direct in an EO," said Michael Daniel, White House cybersecurity coordinator. "That doesn't mean we don't think that enabling properly protected...information coming back to the government is important. That's very important. Perhaps equally important is making sure the statutory framework enables, rather than restricts, private-to-private information sharing."
Current laws do not always ensure information sharing because some companies fear revealing their vulnerabilities to government agencies that could take legal action against them, and private organizations are often unwilling or unable to share proprietary information with one another.
In a Feb. 14 blog post, the Heritage Foundation's Paul Rosenzweig and David Inserra noted that the executive order cannot overcome those limitations.
"While the EO does take some positive steps in the area of information sharing, these steps are hamstrung by the EO's inability to provide critical incentives such as liability protection," they wrote. "The problem is that the EO cannot provide these important protections. They can be created only by Congress. As a result, many businesses will be reluctant to share their information for fear that their proprietary information could be endangered by a [Freedom of Information Act] request or that an honest mistake might lead to a lawsuit being filed against them."
Lawmakers failed to pass cybersecurity legislation last year, but they are expected to take it up again in the coming months. House members have already reintroduced the Cyber Intelligence Sharing and Protection Act, one of the proposed measures that did not succeed last year, and Senate Democrats have announced plans to revive other legislative efforts.
According to Lynn, it cannot happen soon enough. He said one of his top concerns is seeing the government respond to the rapidly evolving cyber threats the country faces.
"The issue is whether we're moving fast enough," he said. "Clearly, the threat is moving up a scale, from disruptive to destructive attacks. The kinds of actors we see mounting those attacks are becoming increasingly malicious, moving from nation states to rogue states to terrorist groups. We need to move quickly. Congress missed the opportunity to act last year; we can't afford for them to miss the opportunity this year."