Future legislation to enhance cyber security posture across the United States should include more types of information sharing, consideration of how companies can more actively defend themselves from attacks, creation of a deterrence strategy, and analytics, a group of cyber security experts told a House panel on Thursday.
Companies need to have more room to “proactively defend their systems” because they “can’t afford to wait,” for the government to act and if “government is not going to respond someone needs to be able to respond,” Frank Cilluffo, director of the Center for Cyber and Homeland Security at George Washington Univ., told the House Homeland Security Cybersecurity Subcommittee.
Cilluffo said, “there’s a lot of policy space between build higher walls and bigger moats and hack back. And between that space we’ve got to start identifying what some of the actions and steps companies can take to more proactively defend their systems.”
Last December President Barack Obama signed into law legislation that was years in the making and is aimed at incentivizing the sharing of cyber threat indicators between the private sector and federal government. The incentive comes by way of limited liability protections for companies that voluntarily share the threat data with the government.
Homeland Security Secretary Jeh Johnson on Tuesday told the House Appropriations Homeland Security Subcommittee that it’s too early to tell if the information sharing provisions of the Cybersecurity Information Sharing Act (CISA) of 2015 are working. He said the liability protections in the bill reflect the private sector’s demand for protections for disclosing threats that cross their networks.
Adam Bromwich, vice president of Security Technology and Response at information security firm Symantec [SYMC], told the panel on Thursday that there is still more legislation can do to improve information sharing. For one, he said, sharing by the government with industry needs to be improved.
There also needs to be more “education and emphasis on the technologies that are out there and available to encourage their adoption, to build awareness,” Bromwich said. “There’s still is not enough awareness of the technologies that are available and how important the problem is.”
Isaac Porche, associate director of the Forces and Logistics Program within the RAND Corp.’s Army Research Division, told the panel to “wait a little” to see how well CISA works and whether any changes need to be made.
Much later, Porche said, there needs to be greater consideration for how the information that is shared can be better integrated and fused to take better advantage of it.
“What’s next is the knowledge age when we can pull smarts, pull intelligent fusion, pull sense-making out all that data we have coming in,” Porche said. “Doing something quite useful with the data, that’s likely to give us insight into the next attack.”
“Richer types of information” also needs to be shared, said Jennifer Kolde, lead technical director with the cyber threat security firm FireEye [FEYE]. This goes beyond contextual data about threat indicators to include “countermeasures and recommendations for how to respond” to attacks, she said.
“In addition,” Kolde said, “continuing to look for creative defensive measures, both technological as well as best practices from individuals that we can continue to promulgate out in the private and public sector for how networks can better defends themselves.”
Cilluffo also said that the United States needs a deterrent posture to confront cyber attackers. This is major political and policy issue, he said of the need to develop a deterrent strategy, adding that “Right now our adversaries are operating with impunity. Until we can raise the bar or raise the cost for their behavior, induce changes in that behavior, we’re going to be playing defense the whole time.”
Rep. John Ratcliffe (R-Texas), chairman of the House cyber panel, said in his opening remarks that without an effective deterrence strategy, more attackers will push the limits.
“Unfortunately, the administration’s lack of proportional responses to these cyber attacks has demonstrated to the world that there are no real consequences for such actions,” Ratcliffe said.
In late January Director of National Intelligence James Clapper said that the greatest threat to national security is in the cyber domain. On Thursday Clapper provided an unclassified briefing to the House Intelligence Committee on the Worldwide Threat Assessment of the U.S. Intelligence Community.
“Devices, designed and fielded with minimal security requirements and testing, and an ever increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and U.S. government systems,” said Clapper’s 33-page prepared remarks. “These developments will pose challenges to our cyber defenses and operational tradecraft but also create new opportunities for our own intelligence collectors.”