NSTAC Members Pitch for More Input into Threat-Sharing System

December 7, 2016–Members of the President’s National Security Telecommunications Advisory Committee (NSTAC) today called for more private-sector contributions to the cyber threat data sharing system set up by the Department of Homeland Security earlier this year after it was authorized in late 2015 by the Cybersecurity Information Sharing Act. Speaking during the public portion of today’s NSTAC meeting, Phyllis Schneck, DHS’ deputy under secretary-cybersecurity and communications, said the automated information-sharing (AIS) portal maintained by DHS includes data that the agency buys from private sector entities, as well as declassified data collected by the federal government.

“We need more private-sector engagement on that” to make the sharing of threat data more effective, said Ms. Schneck, adding that the larger goal of the effort was to improve cybersecurity generally in order to make “the Internet a self-healing network . . . so that a computer does not execute a command that is harmful.” Likewise, Suzanne Spaulding, DHS’ under secretary for its National Protection and Programs Directorate, asked for the private sector to “please sign up for AIS.”

Retired Gen. Gregory Touhill, who was named federal government chief information security officer earlier this year, said he is trying to change the culture of security in the government so that “cybersecurity is a risk management issue and not a technology issue.”  He added, “we are trying to better manage risk . . . and to get the federal government to implement the cybersecurity framework” for critical infrastructure sectors released in 2014 by the National Institute of Standards and Technology.

Scott Charney, who is a vice president at Microsoft Corp. and co-chair of NSTAC’s Emerging Technologies Strategic Vision Subcommittee, said the panel is working on a report it hopes to deliver in May 2017.  He said the document was likely to involve a number of areas including what the government should be doing “right now,” what the government should stop doing, cryptology issues, and how to address longer-term issues like quantum computing and artificial intelligence.

He said the panel plans to share its draft findings with representatives of the Trump administration in February, and he reserved the right to delay its May 2017 deadline if necessary to make sure the document is “useful to the next administration.”

Robert Silvers, assistant secretary-cyber policy at DHS, said that in the area of Internet of things security “there is a lot more work to do . . . there are a lot of thorny problems.”  Among other steps, he urged more focus on development of international IoT security standards, the launch of a “serious national discussion about incentives” to improve IoT security, and not only voluntary industry security efforts but also “regulation, legislation [and] tort remedies.”

Regarding IoT security, Ms. Spaulding said that even though “we built the Internet without security in mind, we can build the Internet of things with security in mind.”  She also said she hoped for a “grand bargain of some kind” between IoT makers and consumers that would allow IoT devices to function as “sensors” to alert authorities to cyber attacks. – John Curran, john.curran@wolterskluwer.com

Courtesy TRDaily