Statecraft and business have always been closely linked, but the advent of digital technology has blurred the roles more than ever. Systems crucial to the economic well-being and national security of the United States rest in the hands of private companies. The two sectors must cooperate by sharing information at an immense pace and scale to keep up with the threat of cyber attacks. The Cipher Brief’s Levi Maxey spoke with James Clapper, the former U.S. Director of National Intelligence, about how the U.S. approaches cybersecurity information sharing and why there continues to be obstacles for both government and private sector when sharing data on virtual risks with real world consequences.
The Cipher Brief: How would you characterize cooperation and information sharing between the intelligence community and major tech companies?
James Clapper: I guess I would call it a little strange. The problem with all of this information sharing business between intelligence and companies more broadly is that there are restraints and inhibitions on both as far as fulsome sharing. There is supposed to be an equities process that, at least while I was there, worked. Where you make adjustments based on the equities involved – if the intelligence community detects a vulnerability, do they share it or not? There is a process for deciding what’s best and probably no one is ecstatic about that process all the time.
TCB: Could you talk about how the equities process works? My understanding is that it is through the National Security Council but reports vulnerabilities to companies through the DHS.
Clapper: Well that’s it. What you described is my understanding of how it works. The DHS is the appropriate storefront and that’s the way that it ought to be. I don’t think the spy crowd should be directly engaging with the private sector.
TCB: The UK’s new National Cyber Security Centre has people from the Government Communications Headquarters (GCHQ), their vision of the NSA, working directly with private sector in somewhat of an unclassified setting. Would a similar system work in the United States?
Clapper: That would imply that GCHQ is sharing all information with their industry all the time – which I am not so sure is happening. Look, the jury is out on this, they are just getting started. The National Cyber Security Centre is a great experiment and we should see how it works. The challenge, of course, that we would have in the U.S. is scaling up on a much larger scale than what the UK is confronted with. But it is a good idea, and I would like to see how it works. I think a lot of work has been done on the U.S. side – maybe not the same structural organization, but certainly clearing people at various levels for access to classified information in the government. One thing that has been talked about is the cyber analog to the National Counterterrorism Center. That is one idea. You would have to get Congress to buy into that. But the idea certainly has merit, I think. It would be worth watching on how it works in the UK.
TCB: There are efforts ongoing to take the authority of the Vulnerabilities Equities Process (VEP) out from under the auspices of the National Security Council (NSC) and place it under the Department of Homeland Security (DHS) for more defensive priorities in the equities process to balance out the Intelligence Community’s collection priorities. Is this a good idea?
Clapper: There are some that would argue that it would be an advantage to have it more visible at the NSC level. So I don’t know what’s best. Any model will work depending on the commitment of the people that participate.
TCB: What about private sector directly having a seat at the table in the equities process?
Clapper: What do you mean by private sector? We would have to pick and choose which companies would participate then. That is a challenge that the U.S. has, whereas with the Brits, it is a little more restricted as to who would weigh in on that. During my domestic responsibility as Director of National Intelligence, the audience out there was huge. So who is it that you are going to pick and choose to include in the tent and who will you not? That is a real challenge we have.
TCB: Information sharing is not just government to private sector. Where do you see private sector sharing information with government here?
Clapper: The vast bulk of the cyber domain is in the private sector and the nation’s critical infrastructure is actually in the private domain. Therefore, the government can’t do this all by itself. In many instances, the private sector is similar to the Cold War’s Distant Early Warning (DEW) Line. In other words, they are the first line of detection for some form of attack.
They have their own restrictions for information sharing and opening their kimono – such as proprietary constraints – which I certainly understand. So the inhibitions for information flow work both ways. The inhibitions on the part of the government are its unwillingness to compromise sources, methods, and tradecraft. And certainly the private sector has its reasons for its reluctance to share too. So it is just something that they have to work through. It’s better than it was 15 years ago, but it’s certainly not perfect by any stretch.
TCB: What about the international aspect of this? If these are multinational companies operating in numerous countries, is this something that inhibits them from sharing information with a single government?
Clapper: Well it certainly complicates it, because then you have multiple layers of restrictions. Each country will have its own restrictions on sharing with private sector. It just makes it a little harder.
