The government should have a standard protocol for when to alert the private sector to cybersecurity threats and a standard process for sharing that information without revealing classified secrets, the leader of a financial services industry group told a House panel Friday.
While the infrastructure is in place for the government and industry to work together on cybersecurity, the private sector often is kept in the dark too long because federal officials are wary of revealing information about ongoing investigations, Jane Carlin, chairwoman of the Financial Services Sector Coordinating Council, told members of a Homeland Security panel on cybersecurity.
When there was an attack on the Nasdaq Stock Market in 2010, for example, government officials didn't warn major financial institutions that might have been vulnerable to similar attacks for 102 days, Carlin said.
"What we're recommending is a documented protocol," she said, "a regularized and repeatable process for deciding when to disclose a threat to the financial community rather than making it up each time ... Let's inject some science here. How do we balance the importance of an ongoing investigation with the public policy effects of [firms'] ongoing exposure [to a security threat]?"
FSSCC, which was created shortly after the Sept. 11 terrorist attacks, acts as the financial community's clearinghouse for cyber threat information and as a liaison with government cybersecurity offices.
The cybersecurity panel is holding a series of hearings focused on working with the private sector to protect critical infrastructure, such as major financial institutions, utilities and telecom providers, from cyberattacks.
The Senate Homeland security committee is considering legislation that would compel private industry to share information about cyberattacks with the government, prompted by the powerful Stuxnet worm, which has the potential to infect operations ranging from water treatment to manufacturing.
A similar bill was introduced in the House and referred to the Subcommittee on Higher Education, Lifelong Learning and Competitiveness, where it hasn't received a hearing yet.
Carlin's organization also is urging the cybersecurity divisions at the Homeland Security Department to share information more often and more candidly with a cadre of cybersecurity officers at financial firms that have government security clearances.
Those cleared personnel can use that secret threat information to ensure their firms are protected from new threats and can pass on relevant threat information from the private sector end, Carlin said.
"When we're talking about information sharing, we mean bilaterally," she said. "There's an equivalent interest in government to have the private sector disclose threats that it's aware of as there is within the private sector to have the government disclose what it's taking care of."
Those security clearances were handed out several years ago through separate programs at Homeland Security and the Treasury Department as part of a government effort to more easily cooperate with the private sector on cyberthreats and counterterrorism. The Homeland Security clearances went to officials at industries outside the financial sector and across the spectrum of industry, an agency official said.
Dozens of financial professionals are cleared now at the Secret level and seven are cleared at the Top Secret level," Carlin said in her testimony.
One problem with protecting the private sector from cyberattacks, subcommittee Chairman Daniel Lungren, R-Calif., observed is a concentrated attack or a vicious bug like Stuxnet can weasel its way into the system of a nontechnology company, where Web security typically is more lax, and cause significant damage before it's discovered.
"In the financial services community and the telecom industry, it's fairly self-evident," Lungren said. "A cyberattack destroys your very product, your very service. Other [firms] can hedge and say, 'The way it hurts me is not that great, or the chances it will hurt me are not that great that I can justify this to shareholders.' "
A typical cyberattack nightmare scenario involves a hostile state or a terrorist group hacking into the U.S. power grid and shutting down the nation's power and communication systems.
Rep. Yvette Clarke, D-N.Y., the committee's ranking member, asked panelists on Friday whether the U.S. power grid could be "air-gapped," a technical term for making something completely secure by removing any connection to external systems, including the Internet.
The power grid is so expansive that it would be impossible to remove all external connection, Gerry Cauley, president of the North American Electric Reliability Corporation, a utilities industry group, said. But power suppliers have become adept at monitoring the external sites they work with to ensure they're as secure as possible, he said.
While many of its operating elements are run through the Internet, Cauley said, the power grid itself is offline and protected by several redundant systems.