Public vs. private cyberattack responsibility debate heats up

Should the federal government combine legislative muscle with fear to pressure private enterprise leaders into funding defenses for a cyberwar? Or should it be up to the government to fund and create a "cyber army" to protect private industry, just as it protects factories and infrastructure in the physical world?

That debate is raised in two reports last week on National Public Radio on the escalating threat of cyberattacks from foreign and terrorist enemies. In the first, reporter Tom Gjelten profiles a public-private partnership called the "Enduring Security Framework," which began at the end of 2008 and, "brings chief executives from top technology and defense companies to Washington, D.C., two or three times a year for classified briefings.

The purpose is to share information about the latest developments in cyberwarfare capabilities, highlighting the cyberweapons that could be used against the executives' own companies."

[See also: U.S. seeking to build international unity around cyberdefense for industrial control systems]

Or, in more colorful terms, "We scare the bejeezus out of them," Gjelten quotes one U.S. government participant as saying.

At one such briefing in 2010, U.S. officials told business executives, "We can turn your computer into a brick." That, according to NPR, prompted computer manufacturers to fix a design flaw in their firmware.

But now there is legislation pending that would take it beyond persuasion. In a second story, Gjelten reports on a U.S. Senate bill that would require private enterprises, particularly those that, "control the U.S. power grid, the financial system, water treatment facilities and other elements of critical U.S. infrastructure," to improve their cybersecurity capabilities.

The leading backers of the bill are Sens. Joe Lieberman of Connecticut and Susan Collins of Maine, among others. Lieberman, an Independent, still caucuses with Democrats. Collins is a Republican.

Leaders in government and private industry agree on the need for those improvements, but the report says, "they divide over the question of who bears responsibility for that effort."

That is a key dispute over passage of the bill, which is the Senate version of CISPA (Cyber Intelligence Sharing and Protection Act), recently passed by the House. The Senate version is more popular among privacy advocates because it would give the civilian Homeland Security Administration oversight of information sharing between the public and private sectors, rather than the military's National Security Agency. But the Senate bill puts heavier, and more costly, regulation, on private business.

[See also: CISPA enjoys wide backing from enterprises]

Can business afford that burden? NPR cites a study by Bloomberg Government that estimated that those in charge of critical infrastructure, "may need to increase their cybersecurity spending as much as nine times to reach satisfactory levels."

Larry Clinton of the Internet Security Alliance told NPR, "The legally mandated role of the government is to provide for the common defense, and they're willing to spend pretty much whatever it takes to do that. If you're in a private organization, your legally mandated responsibility is to maximize shareholder value. You can't spend just anything on the cyberthreat."

John Linkous, CEO of eIQnetworks, says business and government both have plenty to lose from a cyberattack, "but they're viewing the problem from very different perspectives: The government is viewing this as a 'macro'-level problem that could potentially affect the entire nation, particularly if a mass attack on critical infrastructure were to occur at the same time. Business views [the threat] as a 'micro'-level problem, scoped tightly to the business and its shareholders, employees and [occasionally] customers. I believe this means the cost burden needs to be shared."

Still, some in both the private and public sector say businesses may have no choice but to do most of the heavy lifting, unless they want to give up control to government.

At a panel on cyberespionage at the Bloomberg Link Cyber Security Conference in April, FBI veteran Frank Montoya, recently named national counterintelligence executive, told the audience that unlike in World War II, when the U.S. military protected civilian infrastructure, "We're an information-based society now. Information is everything. That makes you, as company executives, the front line -- not the support mechanism, the front line -- in what comes.

"National security has expanded beyond the old spy vs. spy model. You are part of that effort, whether you like it or not," Montoya said.

His fellow panelist, former Navy Admiral Mike McConnell, who is both a past head of the NSA and director of National Intelligence, appeared to be in essential agreement with those like Cigital CTO Gary McGraw, who frequently says the best way to protect infrastructure from cyberattack is to, "make things that aren't broken."

As McConnell's put it, "85% of the problem could be solved by good cyber hygiene." But he was pessimistic about what he said is the need for government and industry to cooperate with information sharing, since cyberattacks occur at light speed. "If you're going to be successful, you have to see it and react in milliseconds," he said. "It's about 30 milliseconds from Tokyo to New York."

Linkous agrees that a partnership is necessary, but he and others say so far the government wants a one-way street. "The federal government needs to do more than just play scare tactics. It needs to start communicating more effectively with the private sector," he says. "Many agencies in the federal government want to 'control' cybersecurity in the private sector, but the private sector absolutely will not yield that authority (and, I believe, rightly so)."

That debate will only end when a catastrophic attack occurs, McConnell believes. "Those bills [in Congress] are necessary, but not enough," he said. "We're going to talk but not act, sufficiently. We're going to have catastrophic event. I don't know what it will be or who will do it, but some of these (cyberattack) tools that have already been built are going to leak or somehow be siphoned off and be given to a group that wants to change the world order."

When that happens, he predicted, "then we're going to overreact."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

More about BillBloombergFBIInternet Security AllianceNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place