Cyber threat clearinghouse key to national security

Michael Hayden was director of the National Security Agency, director of the CIA and principal deputy director of national intelligence. Samuel Visner is vice president and cyber lead executive at CSC. David Zolet is president of strategy and development for CSC's North American Public Sector.

The government warns Americans about health, pollution, weather and other threats. Why not cyber threats? Washington should begin sharing cyber warnings with those responsible for America’s critical infrastructure, from hospitals to water systems to banks. But the private sector should act on its own without waiting for the government.

Public/private partnerships are valuable tools for enhancing public safety and security. Through organized neighborhood watches, citizens report suspicious activities and receive better policing. Drug stores report data on the sales of certain pharmaceuticals, helping public health officials issue timely alerts about contagious diseases. Emergency management agencies and private suppliers of food and other consumables share information that helps them aid victims of natural disasters.

Cyber threats are growing. Advanced persistent threats already target the public and private sectors, with potentially dire consequences. Infection of a dam’s electronic control system, for example, could cause it to unleash cascades of water and destroy homes and lives downstream.

The code for the Stuxnet virus, which disrupted the industrial processes that control Iran's uranium enrichment, is now available on the Internet. Adversaries could adapt such tools to harm process-oriented infrastructure, such as chemical plants and electric power grids.

To protect against attacks, private-sector involvement is crucial. Private industry owns 85 percent of the country's critical infrastructure and deploys far more cybersecurity experts than the government ever will.

The Homeland Security and Justice departments counter cyber threats, but much more should be done.

As a first step, critical infrastructure operators and their IT providers should band together and establish a clearinghouse to share information on cyber threats and countermeasures. An umbrella cybersecurity operations center or a streamlined group of federated centers could oversee collaboration without raising antitrust obstacles.

A cyber partnership between the Defense Department and the private sector is a second way forward. The Defense Industrial Base program represents a growing commitment on the part of government and industry to work together to share information about threats and best practices to protect important unclassified data. Recently, then-Deputy Defense Secretary William Lynn pointed out that DOD shares sensitive data with private participants, who integrate it into their network defenses.

The pilot project has been a resounding success, and its logic is irrefutable. If a firm provides DOD with weaponry, both have a strong interest in protecting information about it. But companies cannot allow proprietary data to fall into the wrong hands, and DOD must protect sensitive government data and not give an advantage to one supplier over another.

Lynn said DOD is now working with DHS and the White House to expand the pilot partnership to other sectors of critical infrastructure. It ought to be an urgent priority. New protections and incentives must guide voluntary information sharing. If the risks and consequences of cyberattacks are lowered, partners might qualify for reduced insurance premiums or incur diminished liabilities.

Finally, more operators of critical infrastructure should establish or gain access to round-the-clock cybersecurity operations centers. They would build on existing coordination efforts and link with a DHS integration center.

National security restrictions hinder the sharing of government cybersecurity data. After the 2001 terrorist attacks, the national security community began sharing more data so they could better "connect the dots." Similarly, security issues associated with sharing information on cyber threats are likely solvable.

Wider access to information and new concepts of public/private trust are essential for America to protect its economy and homeland security against tomorrow's cyber threats.

About the Authors

Michael Hayden was director of the National Security Agency, director of the CIA and principal deputy director of national intelligence.

As Director of the INTERPOL Digital Crime Centre in Singapore, Sanjay Virmani heads the operational arm of INTERPOL that is tasked with supporting cybercrime investigations in its 190 member countries. Prior to joining INTERPOL, Virmani was a Supervisory Special Agent with the Federal Bureau of Investigation in their San Francisco Field Office and has more than 11 years of experience as an investigator in computer intrusion and cyber terrorism matters. Mr. Virmani has been one of the FBI’s leading experts in cyber terrorism and has led multi-agency initiatives against terrorist use of the Internet as a supervisor in the FBI's Counterterrorism and Cyber Divisions.

David Zolet is president of strategy and development for CSC's North American Public Sector.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Thu, Dec 15, 2011 CallMeBC

No. If nothing else was learned during Hayden's tenure at the NSA is that public - private "partnerships" are worth squat in terms of cyber-security, and probably with everything else with the word "security" tacked on its end. The only beneficiaries so far appear to be well connected contractors reaping in lucrative contracts and not having to really produce anything really all that substantial in return. (Hayden himself is currently a member of one such well-connected contractor, the Chertoff Group.) As far as that DoD program that was mentioned, the "resounding success" apparently was along the lines of switching from a weaker AV to a better one. What we really need it beefed up R&D in agencies and departments that have actual track records in being able to deal with advanced malware and hacking, as well as going beyond the usual DC area backscratcher societies to seek out and recruit or contract top notch cyber talent.

Mon, Dec 12, 2011

The commercial sector, frankly, does not want to know about threats as most of the time they can safely ignore the threat. They are more concerned with vulnerabilities, which in the end are what threats exploit. Using resources in a commercial environment to monitor threats is money wasted in most cases. Sharing threat information in the commercial sector is thus meaningless, a fact we've had to re-learn now for a generation.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group