recommended reading

Industry urges better cooperation from government on cyber threats

The government should have a standard protocol for when to alert the private sector to cybersecurity threats and a standard process for sharing that information without revealing classified secrets, the leader of a financial services industry group told a House panel Friday.

While the infrastructure is in place for the government and industry to work together on cybersecurity, the private sector often is kept in the dark too long because federal officials are wary of revealing information about ongoing investigations, Jane Carlin, chairwoman of the Financial Services Sector Coordinating Council, told members of a Homeland Security panel on cybersecurity.

When there was an attack on the Nasdaq Stock Market in 2010, for example, government officials didn't warn major financial institutions that might have been vulnerable to similar attacks for 102 days, Carlin said.

"What we're recommending is a documented protocol," she said, "a regularized and repeatable process for deciding when to disclose a threat to the financial community rather than making it up each time ... Let's inject some science here. How do we balance the importance of an ongoing investigation with the public policy effects of [firms'] ongoing exposure [to a security threat]?"

FSSCC, which was created shortly after the Sept. 11 terrorist attacks, acts as the financial community's clearinghouse for cyber threat information and as a liaison with government cybersecurity offices.

The cybersecurity panel is holding a series of hearings focused on working with the private sector to protect critical infrastructure, such as major financial institutions, utilities and telecom providers, from cyberattacks.

The Senate Homeland security committee is considering legislation that would compel private industry to share information about cyberattacks with the government, prompted by the powerful Stuxnet worm, which has the potential to infect operations ranging from water treatment to manufacturing.

A similar bill was introduced in the House and referred to the Subcommittee on Higher Education, Lifelong Learning and Competitiveness, where it hasn't received a hearing yet.

Carlin's organization also is urging the cybersecurity divisions at the Homeland Security Department to share information more often and more candidly with a cadre of cybersecurity officers at financial firms that have government security clearances.

Those cleared personnel can use that secret threat information to ensure their firms are protected from new threats and can pass on relevant threat information from the private sector end, Carlin said.

"When we're talking about information sharing, we mean bilaterally," she said. "There's an equivalent interest in government to have the private sector disclose threats that it's aware of as there is within the private sector to have the government disclose what it's taking care of."

Those security clearances were handed out several years ago through separate programs at Homeland Security and the Treasury Department as part of a government effort to more easily cooperate with the private sector on cyberthreats and counterterrorism. The Homeland Security clearances went to officials at industries outside the financial sector and across the spectrum of industry, an agency official said.

Dozens of financial professionals are cleared now at the Secret level and seven are cleared at the Top Secret level," Carlin said in her testimony.

One problem with protecting the private sector from cyberattacks, subcommittee Chairman Daniel Lungren, R-Calif., observed is a concentrated attack or a vicious bug like Stuxnet can weasel its way into the system of a nontechnology company, where Web security typically is more lax, and cause significant damage before it's discovered.

"In the financial services community and the telecom industry, it's fairly self-evident," Lungren said. "A cyberattack destroys your very product, your very service. Other [firms] can hedge and say, 'The way it hurts me is not that great, or the chances it will hurt me are not that great that I can justify this to shareholders.' "

A typical cyberattack nightmare scenario involves a hostile state or a terrorist group hacking into the U.S. power grid and shutting down the nation's power and communication systems.

Rep. Yvette Clarke, D-N.Y., the committee's ranking member, asked panelists on Friday whether the U.S. power grid could be "air-gapped," a technical term for making something completely secure by removing any connection to external systems, including the Internet.

The power grid is so expansive that it would be impossible to remove all external connection, Gerry Cauley, president of the North American Electric Reliability Corporation, a utilities industry group, said. But power suppliers have become adept at monitoring the external sites they work with to ensure they're as secure as possible, he said.

While many of its operating elements are run through the Internet, Cauley said, the power grid itself is offline and protected by several redundant systems.

Threatwatch Alert

Accidentally leaked credentials / Misplaced data

Hospital Breach Affects Thousands of Patients

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.