When National Security Agency Director Gen. Keith Alexander spoke before the U.S. Senate Armed Services Committee this week, he was adamant that the military and intelligence community leave the monitoring of private sector networks to the private sector.
However he also mentioned the prevalence of hacking by foreign governments and cybercriminals targeting the defense industry, and the difficulties the government and the private sector have had sharing information. The comments raise the question of how hands-on the government should be in policing corporate networks, and what needs to be done to increase collaboration between intelligence community and the business world.
“What we’re not talking about is putting NSA or the military into [a corporate] network to see the attack,” Alexander said. “What we’re talking about…is we have to have the ability to work with industry, our partners, so that when they are attacked or they see an attack they can share that with us immediately.”
“When you think about it, it’s almost like the neighborhood watch program,” he said. “Somebody’s breaking into a bank; somebody needs to call the authorities to stop it. In cyberspace what we’re saying is, armed with…those things that help us understand that an attack is going on, we believe that industry is the right ones to tell the government that they see that, and get us to respond to it...I do not believe we want NSA, or (U.S.) Cyber Command or the military inside our networks watching. We think industry can do that.”
There is cyber-security legislation currently being proposed by both political parties to address the issues of government regulation and the sharing of threat information, such as the 2012 Cybersecurity Act and the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act (SECURE IT). Both subjects are long-standing issues, with some complaining collaborating between the private and public sectors is often one way.
“Public and private sector data sharing is not happening enough because much of the public/government security data is classified,” Francis Cianfrocca, chief executive officer at Bayshore Networks, told SecurityWeek. “Also, most private enterprises are reluctant to acknowledge the vulnerabilities of their networks and would not report any cyber attacks on their intellectual property.”
The situation is also complicated because there is currently no “hold-harmless” protection afforded to the private sector for disclosing threat information and exposing incidents to the federal government, said Brian Ahern, president and CEO of Industrial Defender.
“Without these protections in place, private sector companies will be less inclined to share the information and risk potential negative exposure to the public and government,” Ahern said. “Current legislation pending before Congress attempts to address this issue by providing protection to disclosed cyber-security data; however, the proposals do not provide a similar protection to the disclosing entity. In order to ensure open communication from the private sector, it is essential to provide privacy protection for the disclosing entity as well as the cyber-security data being disclosed.”
“With 85 percent of the nation’s critical infrastructure owned and operated by the private sector, the public and private sectors must work collaboratively, with trusted and open lines of communication to ensure the most timely sharing of critical cyber-security information,” he added.
Privacy and political concerns make it impractical for the government to monitor private networks, Cianfrocca said. However, the government should play a bigger role in regulating the security best practices of critical infrastructure companies, he argued.
“Government should ensure that private enterprises deploy the next-generation cyber defense technologies that can stop advanced persistent threats and other highly motivated attacks from enemy states,” Cianfrocca said. “A strong enforcement mechanism has to be implemented especially in sensitive sectors such as power generation and distribution, oil and gas and transportation.”
A video of the hearing before the U.S. Senate Armed Services Committee can be found here.
Related Reading: Behind the Government's Rules of Cyber War