recommended reading

Industry urges better cooperation from government on cyber threats

The government should have a standard protocol for when to alert the private sector to cybersecurity threats and a standard process for sharing that information without revealing classified secrets, the leader of a financial services industry group told a House panel Friday.

While the infrastructure is in place for the government and industry to work together on cybersecurity, the private sector often is kept in the dark too long because federal officials are wary of revealing information about ongoing investigations, Jane Carlin, chairwoman of the Financial Services Sector Coordinating Council, told members of a Homeland Security panel on cybersecurity.

When there was an attack on the Nasdaq Stock Market in 2010, for example, government officials didn't warn major financial institutions that might have been vulnerable to similar attacks for 102 days, Carlin said.

"What we're recommending is a documented protocol," she said, "a regularized and repeatable process for deciding when to disclose a threat to the financial community rather than making it up each time ... Let's inject some science here. How do we balance the importance of an ongoing investigation with the public policy effects of [firms'] ongoing exposure [to a security threat]?"

FSSCC, which was created shortly after the Sept. 11 terrorist attacks, acts as the financial community's clearinghouse for cyber threat information and as a liaison with government cybersecurity offices.

The cybersecurity panel is holding a series of hearings focused on working with the private sector to protect critical infrastructure, such as major financial institutions, utilities and telecom providers, from cyberattacks.

The Senate Homeland security committee is considering legislation that would compel private industry to share information about cyberattacks with the government, prompted by the powerful Stuxnet worm, which has the potential to infect operations ranging from water treatment to manufacturing.

A similar bill was introduced in the House and referred to the Subcommittee on Higher Education, Lifelong Learning and Competitiveness, where it hasn't received a hearing yet.

Carlin's organization also is urging the cybersecurity divisions at the Homeland Security Department to share information more often and more candidly with a cadre of cybersecurity officers at financial firms that have government security clearances.

Those cleared personnel can use that secret threat information to ensure their firms are protected from new threats and can pass on relevant threat information from the private sector end, Carlin said.

"When we're talking about information sharing, we mean bilaterally," she said. "There's an equivalent interest in government to have the private sector disclose threats that it's aware of as there is within the private sector to have the government disclose what it's taking care of."

Those security clearances were handed out several years ago through separate programs at Homeland Security and the Treasury Department as part of a government effort to more easily cooperate with the private sector on cyberthreats and counterterrorism. The Homeland Security clearances went to officials at industries outside the financial sector and across the spectrum of industry, an agency official said.

Dozens of financial professionals are cleared now at the Secret level and seven are cleared at the Top Secret level," Carlin said in her testimony.

One problem with protecting the private sector from cyberattacks, subcommittee Chairman Daniel Lungren, R-Calif., observed is a concentrated attack or a vicious bug like Stuxnet can weasel its way into the system of a nontechnology company, where Web security typically is more lax, and cause significant damage before it's discovered.

"In the financial services community and the telecom industry, it's fairly self-evident," Lungren said. "A cyberattack destroys your very product, your very service. Other [firms] can hedge and say, 'The way it hurts me is not that great, or the chances it will hurt me are not that great that I can justify this to shareholders.' "

A typical cyberattack nightmare scenario involves a hostile state or a terrorist group hacking into the U.S. power grid and shutting down the nation's power and communication systems.

Rep. Yvette Clarke, D-N.Y., the committee's ranking member, asked panelists on Friday whether the U.S. power grid could be "air-gapped," a technical term for making something completely secure by removing any connection to external systems, including the Internet.

The power grid is so expansive that it would be impossible to remove all external connection, Gerry Cauley, president of the North American Electric Reliability Corporation, a utilities industry group, said. But power suppliers have become adept at monitoring the external sites they work with to ensure they're as secure as possible, he said.

While many of its operating elements are run through the Internet, Cauley said, the power grid itself is offline and protected by several redundant systems.

Threatwatch Alert

Software vulnerability

Malware Has a New Hiding Place: Subtitles

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.