Johnson: DHS Must Build Trust With Private Sector to Counter Cyber-Attacks
“DHS must continue efforts to address the growing cyberthreat, illustrated by the real, pervasive and ongoing series of attacks on things like stores, banks, email services, power substations and the public that depends on them,” said Jeh Johnson at the Woodrow Wilson Center, a Washington, D.C.-based think tank.
“Here, the key to the government’s efforts is to build trust with the private sector.”
Pervasive cyber-attacks are now a reality, said Johnson. Last year, President Barack Obama issued an executive order that aimed to improve cybersecurity within critical infrastructure. The order called for, in part, the development of incentives to encourage the private sector to share information about attacks with the government.
The executive order came on the heels of the failure of the Cyber Intelligence Sharing and Protection Act of 2011. CISPA, which failed to pass Congress in 2012, was designed to promote information sharing of cyber-attacks among the private sector, but critics said it could erode civil liberties.
Jane Harman, president and CEO of the Wilson Center, said one of the criticisms of CISPA was that DHS was not “well managed” enough as a department to take the reins.
“The big objection two years ago was it’s not a well managed department — I’m not saying this is fair, but this was the objection — and we’re wary of cooperating with [them],” said Harman.
Johnson said he did not disagree with Harman and that leadership is needed to increase trust between the department and industry.
“I think that the key … to answer the dilemma … is visible leadership. Good leadership, but also visible leadership,” said Johnson. “I think that we have to be fairly transparent to become familiar with the private sector, to become familiar with the public, so that we build trust.”
Johnson said he has plans to meet with different private sector companies throughout the country in the coming weeks and months.
Larry Clinton, president and CEO of the Internet Security Alliance, agreed that there is a trust issue between government and industry.
“There is a lack of trust on both sides. The government, for the most part, hasn’t trusted industry to treat sensitive information appropriately. They are afraid it will leak out to the bad guys,” said Clinton. “Industry, on the other hand, is very concerned that if they share information with the government, proprietary information will be compromised.”
One way to overcome this trust issue is by changing the nature of what data would be exchanged under an information sharing agreement, Clinton said.
“When government is looking at cyber-attacks, what government really is focused on most of the time is the source of the attack. They want to know who did this — [is it] the Chinese, is it the Russian mob?” said Clinton. “Industry, frankly, doesn’t care about that really. They don’t care whether it’s the Russians or the Chinese who are stealing their intellectual property. They want it stopped.”
If just technical information can be shared that doesn’t include proprietary data, but still gives enough information about the source of the attack to the government, both sides can work together, Clinton said.
“If we can do that, if we can change the nature of the information that is being shared, so that it doesn’t have any issues for industry and it doesn’t have any issues for the government, we can overcome some of the trust [problems],” said Clinton.