Small Businesses Face Hurdles Joining DHS Cybersecurity Program

A year after Congress passed landmark legislation designed to help organizations share information on cyber threats, small businesses are facing roadblocks when trying to join the program, witnesses said June 15 during a House hearing.

The Cybersecurity Information Sharing Act of 2015 is intended to build upon previous Department of Homeland Security efforts to have businesses and other agencies share information with the federal government about hackers and cyber intrusions so they can all be more adept at thwarting network attacks.

“We continue to see major vulnerabilities in our security systems, especially the lack of information sharing,” said Rep. Michael McCaul, R-Texas, chairman of the House Homeland Security Committee. “If no one shares data, everyone is less secure and intrusions go undetected.”

The act made DHS the clearing house for all federal and private sector information sharing. It set up an automatic indicator sharing portal where businesses and agencies can send in current threats. The law assured businesses that their information would be private and that it could not lead to lawsuits. Protection against liability is contingent on companies sharing directly with DHS officials.

DHS and The Department of Justice released interim guidance in February to assist non-federal entities to share cyber threat indicators (CTIs) with the federal government. The departments also released interim procedures relating to the receipt and use of CTIs by the federal government, interim guidelines relating to privacy and civil liberties in connection with the exchange of these indicators, and guidance to federal agencies on sharing information in the government’s possession.

About 50 private companies and 24 federal state agencies are currently enrolled in the program at the DHS National Coordination Center. Yet many small business owners struggle with the lengthy process and cost of entering the program, witnesses said.

“As a CEO of a small business myself, the key driver for investing in things like cyber security is cost,” said Olga Sage, founder and chief executive officer of E-Management, an information technology company. “It seems as though the legislation is tailored to larger businesses who have the personnel and resources to invest.”

Cybersecurity can cost an estimated $60,000 a year for a company with 50 employees, according to Sage. “We’re about customers and growing our businesses — cybersecurity is just the latest worry. Small businesses can’t afford that.“

Matthew Eggers, executive director of cybersecurity policy at the U.S. Chamber of Commerce, shared similar sentiments. “I think it’s really tough for small businesses…who don’t have the capital or technology talent,” Eggers said. “We want to create technology that will help small businesses continue their work while still generating and receiving threat data.”

Until less expensive technology is developed, business owners in the private sector will continue to struggle when considering whether or not to protect their systems, witnesses said.

“A lot of small companies assume they don’t have anything anyone will want to steal, but that isn’t the case,” Sage said.

The low participation rate from the private sector may also be a result of a cumbersome sign-up process. Companies have to receive a high-level clearance in order to send encrypted emails, and obtaining that certification is just the first step of the battle.

“In order to read the guidelines for participating in the program you have to receive clearance to do so,” Sage said.

Technology issues surrounding the software in computers also prevent certain companies from obtaining their clearance. Having to fill out two separate sets of paperwork slows the process even further, according to Mark Clancy, chief executive officer of Soltra, a cybersecurity company specializing in the financial services industry.

“There are mechanical issues we have to continue to work with,” Clancy said. “But the law is six months old and the program is three months old — if we have this problem again in 12 months, then we’re in a very different place.”

Witnesses testifying in the hearing were unanimous in saying that the process needs to be streamlined.

“If there was a way for DHS to provide the facilities that would enable small business owners to advance in the process [that] would be very helpful,” said Sage. “We need an option that will work for us — the other options are cost prohibitive.”

Photo: iStock

Topics: C4ISR, Cybersecurity, Homeland Security