The cyber attack on the Office of Personnel Management this past summer is likely to go down as one of the most damaging security breaches in U.S. government history. Its ultimate impact on America’s national security will play out over decades. And it didn’t happen in a vacuum, but rather appears to be part of a broader, persistent, and longstanding campaign against U.S. government and corporate assets.
Experts suggest the same adversaries, widely believed to be from China, breached Anthem months before successfully attacking OPM. There is evidence to suggest the campaign is ongoing, and more potential victims continue to be uncovered, possibly including United Airlines, American Airlines and Sabre.
This is not the first cyber attack campaign against the U.S., nor will it be the last. Our adversaries – whether they be nation-state supported, organized criminal gangs, or other hacker collectives united by some shared goal — have only grown more persistent as more and more of our government and corporate assets are shown to be vulnerable. Enterprises are vulnerable today because they are often unaware of new exploits and vulnerabilities. Why is this the case?
Today, information about both “near misses” and successful cyber attacks on corporations and government agencies is kept secret. Outside of ad hoc efforts, we rarely share this critical information, collaborate on damage control, or provide early warning to other organizations that may be at risk. Those working on cyber security defense do not have visibility into cyber security incident information from their peers, even though they may often be seeing the same attack methods or adversary, as we saw with OPM and Anthem. Companies rarely work together in defending networks. This is hard to fathom when they know that information sharing and collaboration have helped to solve problems and manage risks in many other areas from addressing infectious diseases to financial markets. And though the advantages of collaboration over individual defense are obvious, changing this paradigm has been a decade-long challenge for the cyber security community.
What is behind this longstanding corporate hesitance to sharing cyber attack information? While cyber incident sharing may be in our collective best interest, individual contributors may face legal, reputational, or market risk when they exchange this data. Thus, they are understandably hesitant to release such data to anyone until they first understand the full scale of their individual exposure. As a result, even when the information is shared, it is often done too late to play an effective role in our defense.
In order to improve our cybersecurity defenses, it is critical to remove, or at least materially reduce, the risk to corporations of sharing cyber incident data. While technology providers are working on doing exactly this through advances in sharing technology, such as enabling companies to share incident data with each other anonymously, which addresses market and reputational risk, there is one area where we need the support of the U.S. government: removing legal liability for companies that opt to exchange cyber incident data for the purpose of mitigating cyber attacks and providing early warning to others at risk.
Fortunately, it appears that those in government are willing to act if we can get the details right. President Obama signed an Executive Order in February that promotes private sector sharing of cyber threat information. Congress also indicated its support when the House passed two bills in April that provide liability protection for companies that share cyber threat indicators and defensive measures with each other and, should they choose, with the government. The measure, called the Cybersecurity Information Sharing Act (CISA), is awaiting approval from the Senate and is expected to go to the floor for a vote this fall.
Despite bi-partisan and constituent support, CISA has faced a challenging path toward passage. Notably, it has raised concerns from privacy advocates who worry the bill will further degrade the privacy of individuals by insulating companies from responsibility. Some even fear that the bill’s real aim is to create yet another government surveillance mechanism. Others have questioned whether sharing threat information with the government will be effective given its own cybersecurity struggles.
This mistrust between the cybersecurity community and government is not surprising. That said, the Senate has taken significant measures to address these concerns. The latest version of the bill is more explicit about what types of data can be shared, with whom, and for what use. For instance, the bill now more clearly defines a cyber incident and limits the government use of received data to cyber incident response, removing its ability to use it in unrelated criminal investigations. The bill also seeks to limit the access of intelligence agencies to shared data.
However, lost in this debate is the fact that the bill not only provides protection for companies that share information with the government but also for companies that exchange cyber incident information among each other – whether or not the government is involved. In fact, I would argue the most significant benefit of CISA is its ability to help empower the private sector to begin to collaborate on cyber attack responses.
While the bill still has flaws, and we can expect the debate over them to heat up, I’d ask those in the private sector to remain focused on the bigger picture. We will not get ahead of our adversaries in cyberspace if we do not work together. We cannot effectively address cybersecurity if we continue to fight only as individuals. Let’s encourage the Senate to continue to work to resolve privacy concerns and find a way to reduce unnecessary legal liability for those companies willing to work together in the fight against our cyber adversaries.
Paul Kurtz is former White House Cybersecurity Advisor and current CEO of TruSTAR Technology.