By Gregory Hale
Communication between the government and itself and with the private sector is poor at best and in a cyber environment questions remain about who is in charge and where does protection start and stop.
“DHS is in charge, but frankly, there is a coordinating entity in the White House that would enjoin people together, but if you read the papers that is somewhat in the air because there is an opening, and they may not fill the opening,” said Daniel Ennis, head of threat intelligence at BlueVoyant during a panel session Thursday at the Future of Cybersecurity event sponsored by Siemens which was a part of National Infrastructure Week hosted by Bloomberg in Washington. “I do believe there is a weakness there, but if there is a major event, it would co locate with the National Security Council and they would take it from there.”
Like any business relationship, who the private sector goes to in a pinch to report an issue depends on who they know.
“It is all relationship based,” said Sarah Urbanowicz, CISO at AECOM. “It depends on who you have a relationship with. It could be FBI or DHS. The relationship is based on trust. The relationship has gotten better, but it has a long way to go. There is a fear of a breach, and let’s be fair, everyone has a breach, it is just some are more public than others.”
The government is trying to become better, but there still remains a level of distrust.
“What the government needs to do is work with us to share information but do it in a way that is anonymized,” said Scott Goodhart, CISO at AES Corp. “We get hung up on the intelligence aspect of it, but if you are global CISO like me, the information you require is not personal information, I really don’t care about the intelligence aspect of it, I need information most people would not recognize like indicators of compromise and things like that to take action. We get hung up in the broad sense of intelligence in methods and techniques. I am not that interested because I can’t do anything about that. It is not like I am going to launch a missile strike myself. In our sector, we are pretty strong about sharing between each other. I would call (Sarah) up in a minute to share information because there is a level of trust there. It gets further exacerbated in a regulated industry because if you share too openly, you would say I don’t want a regulator on our back. I think what the government needs is to come together and figure out the information we need and share it crisply and cleanly and we can really serve both ends.”
One of the issues is the government is a bit too decentralized when it comes to security information.
“With information sharing, we have an authority capability mismatch,” said Niloofar Razi Howe, security expert. “In the U.S. government, the authority lies with the DHS, the capabilities lie within the DoD and NSA and they can’t engage with the private sector, but the DHS can. That authority capability mismatch actually creates a lot of issues in terms of communicating issues in real time. Other countries have addressed this issue very strategically, but we haven’t begun to address that problem. From an information sharing perspective, if we want to understand what the threat landscape looks like, it is not about sharing specific indicators of compromise. We have to figure out how to share the nature of the threat and how it is growing with the private sector because the critical infrastructure lies mostly with the private sector so if we require clearances and classified networks to share, it is not going to get shared in real time.”
Ennis agrees government needs a restructuring.
“I come out of the NSA. We want to share, but there has to be a way to share,” Ennis said. “There needs to be a construct by which we do that because we are a foreign intelligence agency, not a domestic agency. We need a mechanism to take the foreign intelligence and translate it for the private sector. We need someone that is in charge. DHS is in charge, but FBI has this and the NSA has that. Who is in charge? The model we have all talked about if you go to the UK, you go to the NCSC (National Cyber Security Centre), they coordinate everything domestically as well as coordinate foreign intelligence aspects. They can put things in context and make sure people are cleared by sector if necessary so there can be an exchange.”
Razi Howe agrees the UK model works for them.
“The UK decided there was a threat to their structure as well as their national security systems and the threat was similar for both,” she said. “They developed a strategy and reorganized the government in order to address the strategy.”
On Their Own
While government is working to address its security issues, no one in the private sector expects the feds to help solve problems.
“Right now I don’t expect to be protected,” Goodhart said. “I do wish we had some more protection. I think the problem is we minimize the cyber threat in our dialogue within our populace. If our banks got hit with a missile, someone would do something. Yet, we are having these (cyber) attacks and our populace is saying ‘so what.’ They think the government is protecting them.”
“I have been doing security for 20 years, not until I came to AECOM where we provide and build this critical infrastructure, did it occur to me the direct collision course that cyber and infrastructure are on. The public expects infrastructure and everything that keeps our lives up and running will stay up and running. We have to get away from all the conversations that government plays a role in that. Do we expect protection? Absolutely not, because we have seen we are not getting it. I wish we were and there is progress to be made there. We need to be baking security into controls the same way we do physical security. It is not a line item, it is not an afterthought. It is not something you tack on at the end. When you talk about infrastructure, you better have the cyber capabilities baked in or you will have trouble down the line.”
Another issue is there is no real deterrence to stop cyber incidents.
“To be a cyber criminal today is the highest reward, low risk criminal activity you can engage in,” Razi Howe said. “The prosecution rates are almost non existent. Deterrence policy is something only the government can do. Until we put policy in place that deters nation states, espionage, cyber crime, even other sorts of malfeasance, we can’t expect organizations to protect themselves. It is the wild, wild west out there. Nobody expects it, but until government starts using the powers and tools they have to create a deterrence policy, it is hard to establish effective defense.”
That all means private sector can work with government, but has to take matters into their own hands and panel members agreed the Charter of Trust is one way to go.
“We need to follow the Charter of Trust. We need a clear command and control when there is a threat. Private sector needs to collaborate and we need to communicate and share with the government.”
“This is not a theoretical threat,” Urbanowicz said. “It is real.”