Countering cyber-threats can be difficult, and information sharing has come to be seen as a constructive way to attack the problem. Elaine Lammert, a former Deputy General Counsel with the FBI, spoke with the Cipher Brief about the need for a holistic approach to cybersecurity and the importance of trust for information sharing efforts to be effective.
The Cipher Brief: Some critics have argued that information sharing does not affect the key behaviors that cause cybersecurity problems, such as not updating computers or clicking on suspicious attachments. Are these criticisms valid? How effective is information sharing at promoting strong cyber-security?
Elaine Lammert: A robust strategy for protecting cyberspace and enhancing cybersecurity must be multi-faceted. A strategy to prevent incidents and strengthen security must include education and training, securing business processes, and early detection. Education and training leads to better security awareness within the workforce and at home. This should be complemented with business processes that “defend” systems from attacks – system hardening and monitoring, controlling and verifying authorized access to systems, and documented policies and procedures to name a few. Finally, detecting a vulnerability that provides an opportunity for a cyber-attack helps prevent or hopefully lessen the damage. Underlying these steps is the need for information sharing.
Information sharing supports and enhances security measures and practices. Private and government entities develop and analyze information regarding threats and vulnerabilities. Sharing this information within the community assists in preparing and preventing cyber-attacks. The Information Sharing and Analysis Centers that are supporting many critical infrastructure sectors are an example of how information sharing promotes cyber-security. These are non-profit organizations that support many critical infrastructure sectors by providing a mechanism to gather information on cyber threats related to critical infrastructure and share this information between the public and private sector. Strong cyber-security requires a holistic approach – no one facet alone can protect our cyber space.
TCB: There are a lot of concerns about abuses of privacy and civil liberties in regards to information sharing. What is the basis for these concerns, and what can be done to address them?
EL: After the 9/11 attack, the focus has been on preventing, and not just reacting to, national security threats. To successfully prevent a threat to national security, one must develop a strong intelligence capability based upon the acquisition of information that assists in identifying and mitigating the threat. This requires information sharing not only among federal, state, and local government agencies but also between these agencies and the private sector.
Many have voiced concerns about the harmful impact information collection and sharing may have on privacy and civil liberties. These concerns seem to be less about the need to gather and share information and more about whether the methods used comply with the Constitution and protect privacy. What information is being collected and how? Who has access to this information? How will it be protected from abuse? In other words, what safeguards are in place to ensure it will be used for the purposed for which it was acquired?
Collection and retention of information within government databases must be based upon the particular agency’s legal authority. For information to be helpful, it must be timely, relevant, and actionable. This not only assists the government in effectively preventing threats but also addresses privacy concerns by focusing the collection of data on what is necessary to address the threat. Once acquired, information should be safeguarded through policies and procedures that ensure that access is given only to individuals with the lawful authority and need to do so. Audit mechanisms should be established to ensure the agency’s processes comport with the law and are effective in achieving the agency’s mission. Workforce training and development of compliance programs provide the mechanisms to achieve and monitor the implementation of these procedures.
Some cyber experts also contend that the concerns about information sharing and privacy are not only related to legal safeguards but also pose ethical dilemmas. Even if the information sharing practices are within legal parameters, they may also raise ethical issues, which may explain why private or public sectors are reluctant to share.
TCB: The Cybersecurity Information Sharing Act (CISA) bill has become law, but its passage by Congress has not been without controversy. Is CISA a good first step and/or a good model for future information sharing efforts?
EL: CISA appears to be a step towards strengthening cyber-security efforts more so than a model for information sharing. Experts in the field have stated that the key to cybersecurity is legislation that specifically defines the information that may be shared, develops processes to enable such sharing, provides for liability protection, requires and supports the development of a well-trained cyber workforce within both the government and private sector, identifies and develops security standards, and promotes international community cooperation. CISA seems to address these issues.
After years of failed legislative efforts, having a piece of legislation that provides the authority to share relevant information; a framework for the type of information to be shared; liability protection for sharing such information; a requirement to begin addressing workforce shortages in the cyber arena; and a requirement to develop international cooperation in combating and preventing cybercrimes, is a good first step.
The strongest concern has been over the impact the information sharing provisions may have on privacy. In particular, will the sharing of threat data include the sharing of personally identifiable information or other information protected under other laws designed to safeguard individual privacy. The information sharing section of the legislation contains several requirements designed to protect privacy and civil liberties. The legislation requires the Attorney General to promulgate guidelines regarding privacy and civil liberties that will govern the acquisition, retention, use, and dissemination of the information. There is also a periodic review provision. The devil is in the details, and whether the legislation strikes the appropriate balance between information sharing and privacy remains to be seen.
TCB: How should the cooperation between government and industry proceed in regards to information sharing moving forward?
EL: The willingness to share is based upon developing trust: trust that the information will be used appropriately and protected as needed; trust that the sharing will be a two-way street; trust that an entity will not suffer additional harm by sharing. The levels of information sharing are at heights never imagined before 9/11.
The willingness to share comes from the top down – leadership must drive and encourage sharing. Private and public entities must work together to demonstrate the willingness and ability to share information. This can be accomplished through transparency in the process, providing information in a quick and timely fashion, and the continued development and support of information sharing organizations comprised of both government and industry entities. Finally, joint training and education of the workforce and the public, so that they understand the cyberspace environment, the laws and policies governing this arena, and the efforts being put forth to protect our cyberspace, are vital to a successful cybersecurity strategy.
