‘Cultural Change’ Needed to Counter Private Sector Cyberthreats, Say Lawmaker, Ex-Intelligence Officials
The private sector is now the “supported command” when it comes to cybersecurity, said a lawmaker, former intelligence officials and a cybersecurity expert during a Tuesday panel. And the U.S. government must support it, they said. The private sector is a main target of cyberattacks, yet remains vulnerable and exposed, the panelists said during the Center for Strategic and International Studies event. Only by passing information-sharing legislation, reforming its security clearance procedure and educating industry stakeholders can the U.S. government confront “the most serious national threat facing the United States,” said House Intelligence Committee Chairman Mike Rogers, R-Mich.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
"The weakest link really brings the entire chain down,” said Chertoff Group Chairman Michael Chertoff, a former Homeland Security secretary. That weakest link now is the private sector, the panelists said. Private sector cyberattacks are growing, said Chertoff Group Principal Michael Hayden, a former CIA and National Security Agency director. He blamed Iran for continued denial-of-service attacks on financial institutions (CD Oct 25 p9) that are on the threshold of becoming a “nuisance,” he said. CSIS Senior Fellow James Lewis agreed, saying in the past few years, Iran has gained the ability “to do real damage.” Twenty to 30 criminal groups have also gained the cyberattack “capability of a nation state,” Lewis said. “I believe there are more,” Rogers said.
The U.S. has hindered the private sector’s ability to respond to such threats, Hayden said. “American cyberpower has been generated by the American intelligence community” but not passed on to the private sector, he said. He attributed part of that lack of communication to a broken security clearance process. Many people within a company need cybersecurity information, but it’s hard to fully clear all of them repeatedly, Hayden said. “We need fundamentally a different approach to where the line is between secret and not secret,” he said.
Security clearance determinations are outdated and based on a “1950s view” of, “Is this person a good American?” Rogers said. His committee is “going through a package [of legislation] that will have a more dynamic view” of an individual seeking security clearance. “It’s a bit of a cultural change.” The committee hopes to include the new protocol in its next authorization bill.
Information-sharing legislation and more intellectual property protection are on the horizon as well, Rogers said. The Cyber Intelligence Sharing and Protection Act is “ill” but not dead, he said. The House passed the bill in April, but it failed in the Senate (CD April 19 p6). Within the past few weeks, the House Intelligence Committee has added changes to the bill to “build confidence in the American people,” he said. Public perception after revelations about the NSA surveillance programs is now the biggest hurdle to passing the bill. “This is a cultural problem we have to educate our way through,” he said. “This thing would be done in a heartbeat” if the public understood the NSA is not going to “be reading all your emails,” he said. A House working group will also introduce recommendations to curb foreign countries from copying U.S. technology by purchasing American businesses, Rogers said. “Sometimes the fact that we are five to eight years ahead in technology is in our national security interest,” he said.
The changes would bolster the private sector, the panelists said. “At the end of the day it’s the main body,” Hayden said. “So the government has to enable the movement of the main body.”