Gaining the upper hand on global cyber threats depends on open bi-directional data sharing between the private sector and federal government. But a lack of trust between the two serves as a significant obstacle.
After a period of openness and urgency right after the attacks on Sept. 11, 2001, the public's trust in the data collection and surveillance practices among U.S. intelligence agencies has eroded. That’s especially true over the past six years in the aftermath of Edward Snowden’s revelations about surveillance activities in the U.S. intelligence community.
“We have a general lack of trust between the federal government and the tech sector,” said Matt Olsen, chief trust and security officer at Uber, who spoke at the CyberTalks conference in Washington, D.C., in October. “It wasn’t always that way,” he added.
By example, he noted that the Defense Advanced Research Projects Agency (DARPA) started as a public-private collaboration based on a common purpose, and that a renewed focus on collaboration and sense of urgency was evidenced in the aftermath of the 9/11 attacks.
Balakrishnan Dasarathy, collegiate professor and program chair for Information Assurance at University of Maryland Global Campus (UMGC), agrees that we must return to a post-9/11 level of collaboration. “Information sharing must be more bi-directional to the extent possible,” he said.
John Demers, assistant attorney general, U.S. Department of Justive National Security Division, who also spoke at CyberTalks, said that events in China make it especially critical to close the gap and build awareness and cooperation with the private sector. “The Chinese have changed tactics over time,” he said.
“China is now using intelligence services to conduct their operations, so we’re seeing more insider threats, so we need corporations to say, ‘hey, we have an employee who is doing something suspect’ and then come to us.”
So how do we close the gap? At the conference, Teresa Shay, vice president of Cyber Warfare and Mission Innovations at Raytheon, suggested we look toward other industries for a model of success.
“Government needs to take advantage of threat intelligence and open source information much like the financial sector [has done],” she offered. “Financial institutions came together and shared information that enabled the whole industry to raise the bar for protection.”
And Chris Krebs, director of the Department of Homeland Security’s Cybersecurity Security Agency (CISA), maintained that building credibility with the private sector is key to repairing trust and closing the gap. He views his group as the nation’s risk advisor with the responsibility of building trust. “With a target core audience of CISOs, executives and decision-makers, our challenge is to establish credibility so the private sector can buy in to information sharing,” he said.
In her article, “Fostering Public-Private Collaboration on Cybersecurity,” Katherine Teitler suggests that one path forward would be greater collaboration on proposed laws that control how the government and the private sector work together to combat cyber threats. Teitler, who is director of content for Edgewise Networks, argues that both sides “must lay out expectations and discuss the realities of what information can be shared, how it should be shared, and any consequences of sharing sensitive information.”
That said, comprehensive cybersecurity bills have been in front of Congress since 2012 and have repeatedly failed to pass. “One of those bills, the Cybersecurity Information Sharing Act, did become law, but the language that would have addressed some trust issues was stripped out of the final version,” said Bruce deGrazia, program chair for Cybersecurity Management and Policy at UMGC.
The bottom line is that we have a way to go toward repairing trust. Private companies fear that disclosing data to the federal government will expose them to financial loss or legal action and government agencies often are restricted in what they are able to share in return. “With cybersecurity crossing into issues of national security, a lot of information collected by the U.S. government about adversaries, attacks, and attack techniques becomes classified,” according to Dasarathy.
“What we need in this country is a law dedicated to privacy [that is] similar to the General Data Protection Regulation in the European Union,” said deGrazia. “Once you have established that level of privacy, the trust gap can narrow.”