Nearly two years after Congress passed the Cybersecurity Information Sharing Act, the intelligence community says it’s laid the groundwork for a public-private cyber threat hub, but it’s still far from the “cyber 911” that lawmakers and agencies envisioned.
Richard Ledgett, the National Security Agency’s outgoing deputy director, told an Aspen Institute roundtable on Tuesday that the federal government has been collecting industry feedback about how it has implemented CISA, and looking for gaps in security that need to be addressed.
“We said this is a first step. It’s not the end of the road for information sharing,” Ledgett said.
Paul Abbate, the FBI’s executive assistant director, told business leaders at the roundtable that the intelligence community has evolved its cyber response strategies based on lessons learned from earlier intrusions — which is why companies should build a relationship with these agencies before a data breach occurs.
“It’s all about building those partnerships between government and the private sector [and] private industry before something happens, and building that relationship, building the trust and two-way sharing of information to be preventative. We’re certainly not there yet … but that’s what I see as the focal point,” Abbate said.
More than 50 agencies, private companies and organizations have joined the Department of Homeland Security’s automatic information sharing (AIS) network, but malicious actors have also begun working more closely together. And threat only gets worse, Abbate said, with emerging technologies, such as the Internet of Things.
“I think it’s probably an area that crosses over many different industries and sectors, and it’s ripe for probable regulation in order to achieve the proper standards to put better protections in place,” he said.
In order to combat a “hybrid” threat of state-sponsored and lone hackers, Abbate said there needs to be a whole-of-government approach.
“Nothing that we do is on our own. We do everything that we do with our partners in the Department of Defense, with our partners at the [National Security Agency], the CIA, DHS and the private sector,” he said. “We need to leverage all of the tools between and among us that are available, and leverage all the resources, capabilities and authorities of our agencies … and even bring that down to the state and local level where appropriate,” he said.
One possible solution could be yet another “bug bounty,” in which the government rewards “white-hat” hackers for finding cybersecurity exploits. The Defense Department pioneered the first government bug bounty, and has already looked to expand the program. Meanwhile, the Army and the General Services Administration have already emulated the DoD program.
“I think a bug bounty can be a good thing, if it’s done well. The Department of Defense did it last year, and was pretty successful in that. I think you want to register participants in some way and have a disclosure path that’s pretty clear. But I think in general it’s a good thing,” Ledgett said.
When asked if the NSA should have its own leadership separate from U.S. Cyber Command, Ledgett, who will retire from the agency later this spring, said it’s only a matter of time before the bifurcation happens.
“I think there’s almost a universal agreement that CYBERCOM and NSA do need to split at some point. I think the question is when. And so, is it a time-based activity, or is it a conditions-based activity? I would argue for the latter, but I would put a boundary on the time, so that five years from now, we’re not having the same conversation,” he said.
Adm. Mike Rogers, the current head of both the NSA and CYBERCOM, and Sen. John McCain (R-Ariz), the chairman of the Senate Armed Services Committee, both oppose the split.
In another departure from Rogers, Ledgett said he would support designating election systems as critical infrastructure, in light of Russia’s possible cyber intrusions.
“The [voting] system was not significantly affected. Part of that is because it’s not a system, it’s a whole bunch of systems, and there’s not one place you could go to affect outcomes. You would have to go to 50 places to affect outcomes. I do think it begs the question, should we designate the election-related systems as critical infrastructure? I think so, as an American who votes, yes,” he said.