A week after two big moves on cybersecurity policy, cyber czar Michael Daniel reflects on the avenues for public-private information sharing.
Special Assistant to the President and Cybersecurity Coordinator, Michael Daniel, addresses the crowd at the Atlantic Council's "Breaking the Cyber Information-Sharing Logjam" on February 18. (Photo: Sean Lyngaas/FCW)
How cyber threat information-sharing practices between government and industry develop within the next few years will set the tone for that collaboration for decades to come, according to White House cybersecurity adviser Michael Daniel.
In the next three to four years, "we will be defining how a lot of these relationships will operate for the next 50," Daniel said at a Feb. 18 Atlantic Council event in Washington, D.C. He was speaking after a momentous week of cybersecurity policy for the White House that featured an executive order to encourage public-private information sharing and the unveiling of a new agency for analyzing cyber intelligence.
Given that the vast majority of cyber-related infrastructure is privately owned, "there is almost no other issue in the national security and the economic security space … that is shared in that same manner," Daniel said.
The heavy role of the private sector in cybersecurity "means that we are having to chart … some new ways of interacting between the government and the private sector that don't fall neatly into traditional regulatory or contractual categories that we've had," he added. "And so as a result, we're struggling, in many ways, to figure out what those relationships are going to be."
The recent executive order was intended in part to flesh out those relationships by encouraging exchanges beyond established, sector-specific information sharing and analysis centers. An information sharing and analysis organization (ISAO) can be anything from a "non-for-profit community" to a single firm, according to a White House summary.
Daniel also echoed a common warning from cybersecurity experts that information sharing is just a means to an end, not a solution unto itself. Different types of information sharing are needed for active cyber defense and situational awareness, he added, without elaborating on those different methods.
During a panel discussion following Daniel's remarks, his deputy, Ari Schwartz, brushed aside a suggestion that executives from Facebook, Google and Yahoo may have skipped last week's White House cybersecurity summit because of tensions with the Obama administration on privacy issues. Schwartz called the notion "completely overblown," and pointed to Bank of America's reported requirement that its vendors adopt the administration's cybersecurity framework as evidence of cooperation from the private sector.