Public vs. private cyberattack responsibility debate heats up

Should the federal government combine legislative muscle with fear to pressure private enterprise leaders into funding defenses for a cyberwar? Or should it be up to the government to fund and create a “cyber army” to protect private industry, just as it protects factories and infrastructure in the physical world?

That debate is raised in two reports last week on National Public Radio on the escalating threat of cyberattacks from foreign and terrorist enemies. In the first, reporter Tom Gjelten profiles a public-private partnership called the “Enduring Security Framework,” which began at the end of 2008 and, “brings chief executives from top technology and defense companies to Washington, D.C., two or three times a year for classified briefings.

The purpose is to share information about the latest developments in cyberwarfare capabilities, highlighting the cyberweapons that could be used against the executives’ own companies.”

[See also: U.S. seeking to build international unity around cyberdefense for industrial control systems]

Or, in more colorful terms, “We scare the bejeezus out of them,” Gjelten quotes one U.S. government participant as saying.

At one such briefing in 2010, U.S. officials told business executives, “We can turn your computer into a brick.” That, according to NPR, prompted computer manufacturers to fix a design flaw in their firmware.

But now there is legislation pending that would take it beyond persuasion. In a second story, Gjelten reports on a U.S. Senate bill that would require private enterprises, particularly those that, “control the U.S. power grid, the financial system, water treatment facilities and other elements of critical U.S. infrastructure,” to improve their cybersecurity capabilities.

The leading backers of the bill are Sens. Joe Lieberman of Connecticut and Susan Collins of Maine, among others. Lieberman, an Independent, still caucuses with Democrats. Collins is a Republican.

Leaders in government and private industry agree on the need for those improvements, but the report says, “they divide over the question of who bears responsibility for that effort.”

That is a key dispute over passage of the bill, which is the Senate version of CISPA (Cyber Intelligence Sharing and Protection Act), recently passed by the House. The Senate version is more popular among privacy advocates because it would give the civilian Homeland Security Administration oversight of information sharing between the public and private sectors, rather than the military’s National Security Agency. But the Senate bill puts heavier, and more costly, regulation, on private business.

[See also: CISPA enjoys wide backing from enterprises]

Can business afford that burden? NPR cites a study by Bloomberg Government that estimated that those in charge of critical infrastructure, “may need to increase their cybersecurity spending as much as nine times to reach satisfactory levels.”

Larry Clinton of the Internet Security Alliance told NPR, “The legally mandated role of the government is to provide for the common defense, and they’re willing to spend pretty much whatever it takes to do that. If you’re in a private organization, your legally mandated responsibility is to maximize shareholder value. You can’t spend just anything on the cyberthreat.”

John Linkous, VP and chief security and compliance officer of eIQnetworks, says business and government both have plenty to lose from a cyberattack, “but they’re viewing the problem from very different perspectives: The government is viewing this as a ‘macro’-level problem that could potentially affect the entire nation, particularly if a mass attack on critical infrastructure were to occur at the same time. Business views [the threat] as a ‘micro’-level problem, scoped tightly to the business and its shareholders, employees and [occasionally] customers. I believe this means the cost burden needs to be shared.”

Still, some in both the private and public sector say businesses may have no choice but to do most of the heavy lifting, unless they want to give up control to government.

At a panel on cyberespionage at the Bloomberg Link Cyber Security Conference in April, FBI veteran Frank Montoya, recently named national counterintelligence executive, told the audience that unlike in World War II, when the U.S. military protected civilian infrastructure, “We’re an information-based society now. Information is everything. That makes you, as company executives, the front line — not the support mechanism, the front line — in what comes.

“National security has expanded beyond the old spy vs. spy model. You are part of that effort, whether you like it or not,” Montoya said.

His fellow panelist, former Navy Admiral Mike McConnell, who is both a past head of the NSA and director of National Intelligence, appeared to be in essential agreement with those like Cigital CTO Gary McGraw, who frequently says the best way to protect infrastructure from cyberattack is to, “make things that aren’t broken.”

As McConnell’s put it, “85% of the problem could be solved by good cyber hygiene.” But he was pessimistic about what he said is the need for government and industry to cooperate with information sharing, since cyberattacks occur at light speed. “If you’re going to be successful, you have to see it and react in milliseconds,” he said. “It’s about 30 milliseconds from Tokyo to New York.”

Linkous agrees that a partnership is necessary, but he and others say so far the government wants a one-way street. “The federal government needs to do more than just play scare tactics. It needs to start communicating more effectively with the private sector,” he says. “Many agencies in the federal government want to ‘control’ cybersecurity in the private sector, but the private sector absolutely will not yield that authority (and, I believe, rightly so).”

That debate will only end when a catastrophic attack occurs, McConnell believes. “Those bills [in Congress] are necessary, but not enough,” he said. “We’re going to talk but not act, sufficiently. We’re going to have catastrophic event. I don’t know what it will be or who will do it, but some of these (cyberattack) tools that have already been built are going to leak or somehow be siphoned off and be given to a group that wants to change the world order.”

When that happens, he predicted, “then we’re going to overreact.”