DHS Official: Cyber Threat Data Should Be Public Good More than Profit Maker

KER A top Department of Homeland Security official urged companies to engage with DHS on efforts to share information to enhance network security and in doing so to consider focusing more on the public good and less on opportunities to profit. At the dedication ceremony for a new facility for the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE), speakers stressed the importance of cooperation and of making it clearer and easier for companies and individuals to protect themselves.

In a speech Alejandro Mayorkas, DHS deputy secretary, said, “The bad guy is getting in.  The question is how difficult we can make it, how sophisticated the bad guy must be, and how quickly we can identify the intrusion and expel the intrusion.” Mr. Mayorkas said he understood the skepticism demonstrated by some industry officials regarding the sharing of threat data with the federal government when it also is engaged in enforcement.  But he said DHS is the right agency to handle information sharing.

“The reason is that the Department of Homeland Security is uniquely situated in having a statutorily created Office of Civil Rights and Liberties and an Office of Privacy,” Mr. Mayorkas said.  “That uniqueness really distinguishes and empowers the DHS to be involved in the sharing of information with the private sector.” Sharing information with the federal government and disseminating it broadly to private sector entities will enable DHS to “raise the level of cybersecurity across the ecosystem and make not only one company or two companies more secure but really make all of us more secure,” he said.

Mr. Mayorkas said DHS was giving its commitment to the industry that it would “continue to advance our capabilities both to receive and disseminate information, and we would respectively request of you that you give thought to what really in the cybersecurity realm is deserving of recognition as a profit maker but then what really is most deserving as a public good.”

During a subsequent panel discussion, Michael Daniel, special assistant to the President and White House Cybersecurity Coordinator, said the cybersecurity threat is “becoming broader because we keep hooking more and more stuff to the Internet.”  The threat is also “getting more frequent,” with “more and more actors figuring out they can either make a profit or achieve their goals through cyberspace much more effectively than even in some of the physical world,” he said.

Threats are also getting more serious, Mr. Daniel said.  “The bad guys are moving up the threat spectrum,” he said. The United States is now at a “strategic inflection point,” Mr. Daniel said.  The Internet has provided a strategic advantage to the U.S. for 40 years, he said, but continued, “If we don’t address some of the problems, we risk cyberspace and the Internet becoming a strategic liability.” Donna Dodson, chief cybersecurity advisory for NIST and director of NCCoE, said the “purpose and the heart and soul of what the center is about is, how do you take those standards and best practices and using them in these business environments.”

Ms. Dodson added, “We don’t make cybersecurity technologies where it’s easy to do the right thing, hard to do the wrong thing, and easy to back up if you do do the wrong thing.”

David Hoffman, associate general counsel and global privacy officer at Intel Corp., said a key question is how to spur investment in cybersecurity.  Companies often say that they know they need more investment, but they “can’t figure out if they need 100 heads or 1,000 heads to throw at the problem,” he said.  “That’s a big problem.  I need something to measure.  I need some guidance for what to aim towards.” Mr. Hoffman added that there is “great promise for what advanced data analytics can do in the area of security.

“If we’re going to pursue the opportunity, we have to make sure we go through the privacy issues as the same time,” Mr. Hoffman said.  “We need data to protect data.  We need to understand that having data and processing data and learning from it does not necessarily have to be bad for privacy.  It could be good for privacy because it can protect us from breaches. “I think we have a model that can work,” he said.  “We need to bring all the stakeholders together and start to flesh that out and reach a consensus.”

Lisa Gallagher, vice president-technology solutions at Healthcare Information and Management Systems, said companies in the healthcare sector have averaged spending just 3% of their information technology budgets on cybersecurity over the last 10 years. “There’s clearly not a lot of resources” devoted to cybersecurity, she said.  “There’s a lot of challenge getting the kinds of expertise that they need.” The health care industry needs a “source of threat data, all in one place, that is in one format, analyzed and actionable, and as near-real-time as we can possibly get,” Ms. Gallagher said.  “Other sectors have already figured out how to do this.”  But the health care industry needs to step up collaborative efforts to improve security, she said. – Brian Hammond, brian.hammond@wolterskluwer.com

Courtesy TRDaily