Industry doesn't want to risk trade secrets, and government likes to classify critical information. No wonder cyber threats get less concerted attention than they deserve.
At nearly every conference and congressional hearing on cybersecurity, officials emphasize the need for better cooperation between government and industry to deal with computer security threats. No such meeting is complete without a reminder that the majority of the country’s critical infrastructure — including power plants, telecommunications and financial institutions — is privately owned.
That emphasis makes new findings from the Government Accountability Office that the public and private sectors aren’t meeting each other's expectations for sharing cybersecurity data particularly unsettling, though not surprising. According to GAO, the amalgam of information-sharing councils and programs isn’t getting the job done.
Just 27 percent of the 56 industry representatives GAO surveyed said the government was giving them timely and actionable cyber threat information and alerts to a great or moderate extent. For their part, government officials said the private information technology sector was giving them only one of the 10 services that were expected.
GAO auditors concluded that without improvements in private- and public-sector expectations, the so-called partnerships will remain marginal, and “there is a risk that owners of critical infrastructure will not have the appropriate information and mechanisms to thwart sophisticated cyberattacks that could have catastrophic effects on our nation’s cyber-reliant critical infrastructure.”
The reasons are not hard to discern. Industry is wary of sharing sensitive information with government for fear of negative effects on their business. In a recent speech, FBI Director Robert Mueller tried to allay those concerns by saying, “We do not want you to feel victimized a second time by an investigation.”
Meanwhile, the government's penchant for classifying data poses barriers to sharing it with the private sector. “From an industry perspective, government has to be more forthcoming in sharing relevant threat information and not hide behind [the notion] that everything is classified, because it’s not,” said Robert Dix, vice president of government affairs at Juniper Networks.
The Catch-22 is hard to overcome. For instance, the government has identified 18 critical infrastructure sectors, and each sector has a council composed of industry officials and a council of local, state and federal government officials. The Homeland Security Department has issued the National Infrastructure Protection Plan (NIPP) as the framework for dealing with threats to that infrastructure — including cyber threats.
However, critical information is often classified and resides outside DHS, said Michael Markulec, chief operating officer at Lumeta, which makes a network-mapping product and works with the Defense Department and federal intelligence and civilian agencies.
“So what happens is that you have a framework for having conversations, but the conversations you have aren’t necessarily the right ones,” Markulec said. “We’re not talking about persistent threat vectors, we’re not talking about the latest incursions, we’re not talking about intelligence that maybe is being centralized…and disseminated before attacks happen. And I think that’s where the breakdown is right now.”
Despite the need for improvement, the framework is yielding some good work, Markulec said.
There has been a lot of improvement, agreed Dix, who is chairman of the Information Technology Sector Coordinating Council's Executive Committee, which helped develop NIPP. He was also surveyed by GAO for its recent report.
“I think that what has been evolving in terms of the relationship between industry and government has improved dramatically, but there’s still a ways to go,” he said. “We’re not going to fix this whole thing overnight, but I actually believe there are some positive steps that are being taken in this collaboration between industry and government that aren’t fully acknowledged in the GAO report.”
The upshot is that officials in industry and government are likely to continue to stress the need for better public/private partnerships, but everyone — including government auditors — seems to agree that major progress is necessary. “All of this is grounded in a foundation of trust,” Dix said.
That kind of faith isn’t natural between regulators and the regulated. That’s why cybersecurity threats to privately owned critical infrastructure provoke such unique worries and atypical partnerships. That’s also why there will be many more hearings, conferences and GAO reports before the problems are resolved.