Cybersecurity

Want to stop the next WannaCry? Stop classifying and start sharing

world map 

A push to declassify cyber-related intelligence would lead to better information-sharing and be the most effective way to face down the next WannaCry, former U.S. Chief Information Security Officer Gregory Touhill said at a June 15 congressional hearing. That global ransomware attack, he warned, "could have been much, much worse."

Touhill, speaking at a joint hearing held by two subcomittees of the House Science, Space and Technology Committee, said both government and private industry should engage in frequent exercises and drills as preparation for the next event.

"Public private partnerships are an instrumental tool" in preventing the next WannaCry, agreed

Darin LaHood (R-Ill.). The congressman praised another witness, Kryptos Logic CEO Salim Neino, as a case in point -- noting it was a Kryptos employee who first identified the WannaCry "kill switch" that enabled governments and other organizations to contain the ransomware's spread.

The chief barrier to better public-private collaboration is a systemic lack of information sharing, Touhill declared. And "the biggest inhibition to information sharing between the public and private sector," he said, "is over-classification of information by the government."

Touhill noted that a disproportionate amount of information marked top secret was at the same time widely available in the public domain. One fix? "Change the default setting," he said, so that more information is initially unclassified. One study has shown, he said, that classified information appears online in about seven days anyway.

This transparency would assist in preparation, noted Touhill -- a point echoed by Charles H. Romine, director of the Information Technology Laboratory at the National Institute of Standards and Technology.

Such preparations are not always about prevention, he stressed. "We are often thinking about detection and prevention of attacks," he said. "We don't pay enough attention to response and recovery."

Touhill agreed, adding that serious planning and preparation should involve exercises and drills that include personnel at all levels.

Regular drills "including the C-suite" would invest preparation with the urgency it deserves, he said. "I think that's a conversation that boards and C-suites should be having, because frankly, if I'm somebody who's an investor in a company that's attacked, I'm going to be asking, 'why weren't you doing due care and due diligence?'"

About the Author

Ben Berliner is a former editorial fellow at FCW. He is a 2017 graduate of Kenyon College, and has interned at the Center for Responsive Politics and at Sunlight Foundation.

He can be contacted at [email protected].

Click here for previous articles by Berliner.


Featured

  • Budget
    Stock photo ID: 134176955 By Richard Cavalleri

    House passes stopgap spending bill

    The current appropriations bills are set to expire on Oct. 1; the bill now goes to the Senate where it is expected to pass.

  • Defense
    concept image of radio communication (DARPA)

    What to look for in DOD's coming spectrum strategy

    Interoperability, integration and JADC2 are likely to figure into an updated electromagnetic spectrum strategy expected soon from the Department of Defense.

Stay Connected