Better business-government teamwork needed to categorically fight cyberthreats
By Ellen Messmer
January 09, 2013 — Network World — The Business Roundtable, the association of 210 chief executive officers whose companies account for more than $7.3 trillion in annual revenues and 16 million employees, today said that cyberthreats to their businesses have become so severe, a new way of sharing real time security information needs to be set up among companies and with the U.S. government.
IN THE NEWS: FBI: Dirty deedsters are tweaking telephony attacks; coercion
"Cybersecurity threats from nation states and other well-funded, motivated actors present risks that neither the public nor the private sector can unilaterally address," the Business Roundtable executives stated in their report entitled, "More Intelligent, More Effective Cybersecurity Protection." They noted that "formidable criminals are systematically stealing intellectual property through cyber theft" and "even more dangerous adversaries are developing tools and capabilities to disrupt critical services that support the world's economy, security and public safety."
In its report, the group, whose CEOs hail from large companies that include Wal-Mart, ExxonMobil Corp., Proctor & Gamble, Dow Chemical, General Electric and others, said they have united around a proposal that calls for an unprecedented level of information-sharing between each other and the U.S. government for protection.
But the CEOs say to do this, some legal hurdles will have to be overcome, such as finding ways to obtain satisfactory liability, antitrust and freedom of information protections that would likely involve cooperation from Congress and the White House.
The Business Roundtable proposal includes ideas such as:
- Authorize and create two-way information sharing to actively exchange reports on imminent threats, response actions and situational awareness as well as deliver threat assessments, such as National Intelligence Estimates.
- Increase law enforcement capabilities to disrupt, apprehend and prosecute cyber criminals
- Position the public and private sectors to collaborate on cybersecurity vat strategic and operational levels.
- To effectively act on threat information provided by the government, private-sector companies will have to work across their respective enterprises. As a result, the government must not only increase the number and level of security clearances within the private sector but also strive to share information that is classified at the lowest possible level to ensure that companies are able to share threat information with corporate stakeholders responsible for taking appropriate action.
- Processes for real-time collaboration on the technical level between government and industry should also be established to address "serious risks."
"The companies are highly motivated to address this," says Liz Gasster, vice president at the Washington, D.C.-based Business Roundtable, about what she says is an unprecedented step by the CEOs of the Business Roundtable to publicly put forth a proposal to address cyberthreats.
The report and the proposal originated with the Business Roundtable's information and technology committee headed up by MasterCard CEO and President Ajay Banga, and the report out today was approved by all 210 CEOs at a meeting in December.
Basically, the Business Roundtable executives are saying they want to be able to more freely exchange real-time information on security threats across company boundaries and with the U.S. government, especially the Department of Homeland Security, if assurances about confidentiality can be made and legal qualms resolved.
That could mean some proposed changes need to be supported legislatively by Congress and the Administration. But in the context of it all, the Business Roundtable executives are also raising objections to the prospect of any legislation that would establish the type of risk-compliance regulatory structure of federal mandates, such as was envisioned in the Cybersecurity Act of 2012 that failed to pass through Congress last year.
The Business Roundtable explicitly views its information-sharing proposal of today as a "second approach" that they favor, and they say they see more of their ideas represented in the House of Representatives bill H.R. 3523, the Cyber Intelligence Sharing and Protection Act which amends the National Security Act of 1947 to enable national intelligence agencies to share strategic threat assessments and other information.
Gasster says currently there's only known to be a pilot project with the Defense Department and some defense-oriented companies to share critical threat information. There has also been for decades a forum where telcos have shared security-related information with government.
Whether the information-sharing proposal from the Business Roundtable will get any traction in Washington power circles remains to be seen, but Gasster says the significance of the report is that these 210 CEOs from Fortune 25 companies have unambiguously acknowledged the nature of cyberthreats and how they think information-sharing will be key to defending against them.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: email@example.com.
Read more about wide area network in Network World's Wide Area Network section.