March 9, 2017–Cybersecurity professionals today told a House subcommittee about their concerns that the Trump administration might reverse progress on cyber threat information-sharing by diminishing the role of the Department of Homeland Security and giving more authority to the Defense Department or other federal agencies. “We’ve had a 10-year discussion in this country about the roles and missions of DHS, DoD, the intelligence community, law enforcement — how all these entities can work together,” said Ryan Gillis, vice president-cybersecurity strategy and global policy at Palo Alto Networks.
“Refighting those turf battles” would be counterproductive, Mr. Gillis told the Homeland Security Committee’s cybersecurity and infrastructure protection subcommittee at a hearing on the effectiveness of DHS’s engagement with the private sector on cybersecurity.
Mr. Gillis and other witnesses at the hearing noted that early drafts of a White House executive order (EO) on cybersecurity seemed to discount steps that had already been taken during the presidencies of George W. Bush and Barack Obama. The draft EO seemed to indicate a desire for an enhanced role for DoD in policing civilian cyberspace, which would be a mistake, said Robyn Greene, policy counsel and government affairs lead for New America’s Open Technology Institute.
The Cybersecurity Information Sharing Act (CISA), a key statute enacted in 2015, leaves room for the president to designate a second government entity, other than DHS, to run a cyber threat information-sharing portal, Ms. Greene noted.
But establishing a second portal would harm information-sharing efforts and “create confusion about DHS’s role as the civilian lead in the federal government,” she said. If the second portal was run by a law enforcement or intelligence agency, user trust would be undermined and voluntary sharing efforts would suffer, she added. “We should start moving forward instead of moving back and relitigating past debates.”
Some federal agencies already are trying to duplicate DHS’s cyber threat information-sharing apparatus, said Daniel Nutkis, chief executive officer of the Health Information Trust Alliance (HITRUST). “There are efforts to require health care organizations to only share information directly with the Department of Health and Human Services,” he testified. “This is certainly troublesome, and we find these efforts alarming and contrary to the original intent of CISA.”
Other problems with information-sharing include the dissemination of information that is incomplete or erroneous, said Jeffrey Greene, senior director-global government affairs and policy at Symantec Corp. The need for accuracy and context in shared data will only increase as the sharing programs grow and become more automated, he told the subcommittee.
That puts DHS in a difficult spot, Mr. Greene noted. “On the one hand, they’re being told to share more and share faster. On the other hand, they’re being told to be careful what you share and vet it before you do so,” he said. “This is a balance that’s not easy to strike, and it’s going to require constant tuning.”
Subcommittee members said they were looking for ways to strengthen DHS’s cybersecurity mission without disrupting it. “We must be constantly measuring, benchmarking, and setting goals associated with their outcomes,” said Rep. John Ratcliffe (R., Texas), the subcommittee’s chairman. “Additionally, DHS needs to become fully operational so it can most effectively carry out the cybersecurity authorities Congress deliberately gave the department just over a year ago.”
Cedric Richmond (D., La.), the panel’s ranking member, echoed support for DHS as the department best-positioned to address the security of civilian cyberspace. “Since 2001, DHS has been the lead agency responsible for coordinating federal efforts to protect critical infrastructure and, in that capacity, has made major strides in cyber information-sharing among critical infrastructure owners and operators,” he said. “Directing the Pentagon to take on cybersecurity in the private sector would represent a radical departure.” – Tom Leithauser, email@example.com