Connect with us

Hi, what are you looking for?



NSA Director: Cyber Security Challenged by Lack of Information Sharing

When National Security Agency Director Gen. Keith Alexander spoke before the U.S. Senate Armed Services Committee this week, he was adamant that the military and intelligence community leave the monitoring of private sector networks to the private sector.

When National Security Agency Director Gen. Keith Alexander spoke before the U.S. Senate Armed Services Committee this week, he was adamant that the military and intelligence community leave the monitoring of private sector networks to the private sector.

However he also mentioned the prevalence of hacking by foreign governments and cybercriminals targeting the defense industry, and the difficulties the government and the private sector have had sharing information. The comments raise the question of how hands-on the government should be in policing corporate networks, and what needs to be done to increase collaboration between intelligence community and the business world.

Keith Alexander NSA“What we’re not talking about is putting NSA or the military into [a corporate] network to see the attack,” Alexander said. “What we’re talking about…is we have to have the ability to work with industry, our partners, so that when they are attacked or they see an attack they can share that with us immediately.”

“When you think about it, it’s almost like the neighborhood watch program,” he said. “Somebody’s breaking into a bank; somebody needs to call the authorities to stop it. In cyberspace what we’re saying is, armed with…those things that help us understand that an attack is going on, we believe that industry is the right ones to tell the government that they see that, and get us to respond to it…I do not believe we want NSA, or (U.S.) Cyber Command or the military inside our networks watching. We think industry can do that.”

There is cyber-security legislation currently being proposed by both political parties to address the issues of government regulation and the sharing of threat information, such as the 2012 Cybersecurity Act and the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act (SECURE IT). Both subjects are long-standing issues, with some complaining collaborating between the private and public sectors is often one way.

“Public and private sector data sharing is not happening enough because much of the public/government security data is classified,” Francis Cianfrocca, chief executive officer at Bayshore Networks, told SecurityWeek. “Also, most private enterprises are reluctant to acknowledge the vulnerabilities of their networks and would not report any cyber attacks on their intellectual property.”

The situation is also complicated because there is currently no “hold-harmless” protection afforded to the private sector for disclosing threat information and exposing incidents to the federal government, said Brian Ahern, president and CEO of Industrial Defender.

“Without these protections in place, private sector companies will be less inclined to share the information and risk potential negative exposure to the public and government,” Ahern said. “Current legislation pending before Congress attempts to address this issue by providing protection to disclosed cyber-security data; however, the proposals do not provide a similar protection to the disclosing entity. In order to ensure open communication from the private sector, it is essential to provide privacy protection for the disclosing entity as well as the cyber-security data being disclosed.”

Advertisement. Scroll to continue reading.

NSA Data Center“With 85 percent of the nation’s critical infrastructure owned and operated by the private sector, the public and private sectors must work collaboratively, with trusted and open lines of communication to ensure the most timely sharing of critical cyber-security information,” he added.

Privacy and political concerns make it impractical for the government to monitor private networks, Cianfrocca said. However, the government should play a bigger role in regulating the security best practices of critical infrastructure companies, he argued.

“Government should ensure that private enterprises deploy the next-generation cyber defense technologies that can stop advanced persistent threats and other highly motivated attacks from enemy states,” Cianfrocca said. “A strong enforcement mechanism has to be implemented especially in sensitive sectors such as power generation and distribution, oil and gas and transportation.”

A video of the hearing before the U.S. Senate Armed Services Committee can be found here.

Related Reading: Behind the Government’s Rules of Cyber War

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.