recommended reading

Industry urges better cooperation from government on cyber threats

The government should have a standard protocol for when to alert the private sector to cybersecurity threats and a standard process for sharing that information without revealing classified secrets, the leader of a financial services industry group told a House panel Friday.

While the infrastructure is in place for the government and industry to work together on cybersecurity, the private sector often is kept in the dark too long because federal officials are wary of revealing information about ongoing investigations, Jane Carlin, chairwoman of the Financial Services Sector Coordinating Council, told members of a Homeland Security panel on cybersecurity.

When there was an attack on the Nasdaq Stock Market in 2010, for example, government officials didn't warn major financial institutions that might have been vulnerable to similar attacks for 102 days, Carlin said.

"What we're recommending is a documented protocol," she said, "a regularized and repeatable process for deciding when to disclose a threat to the financial community rather than making it up each time ... Let's inject some science here. How do we balance the importance of an ongoing investigation with the public policy effects of [firms'] ongoing exposure [to a security threat]?"

FSSCC, which was created shortly after the Sept. 11 terrorist attacks, acts as the financial community's clearinghouse for cyber threat information and as a liaison with government cybersecurity offices.

The cybersecurity panel is holding a series of hearings focused on working with the private sector to protect critical infrastructure, such as major financial institutions, utilities and telecom providers, from cyberattacks.

The Senate Homeland security committee is considering legislation that would compel private industry to share information about cyberattacks with the government, prompted by the powerful Stuxnet worm, which has the potential to infect operations ranging from water treatment to manufacturing.

A similar bill was introduced in the House and referred to the Subcommittee on Higher Education, Lifelong Learning and Competitiveness, where it hasn't received a hearing yet.

Carlin's organization also is urging the cybersecurity divisions at the Homeland Security Department to share information more often and more candidly with a cadre of cybersecurity officers at financial firms that have government security clearances.

Those cleared personnel can use that secret threat information to ensure their firms are protected from new threats and can pass on relevant threat information from the private sector end, Carlin said.

"When we're talking about information sharing, we mean bilaterally," she said. "There's an equivalent interest in government to have the private sector disclose threats that it's aware of as there is within the private sector to have the government disclose what it's taking care of."

Those security clearances were handed out several years ago through separate programs at Homeland Security and the Treasury Department as part of a government effort to more easily cooperate with the private sector on cyberthreats and counterterrorism. The Homeland Security clearances went to officials at industries outside the financial sector and across the spectrum of industry, an agency official said.

Dozens of financial professionals are cleared now at the Secret level and seven are cleared at the Top Secret level," Carlin said in her testimony.

One problem with protecting the private sector from cyberattacks, subcommittee Chairman Daniel Lungren, R-Calif., observed is a concentrated attack or a vicious bug like Stuxnet can weasel its way into the system of a nontechnology company, where Web security typically is more lax, and cause significant damage before it's discovered.

"In the financial services community and the telecom industry, it's fairly self-evident," Lungren said. "A cyberattack destroys your very product, your very service. Other [firms] can hedge and say, 'The way it hurts me is not that great, or the chances it will hurt me are not that great that I can justify this to shareholders.' "

A typical cyberattack nightmare scenario involves a hostile state or a terrorist group hacking into the U.S. power grid and shutting down the nation's power and communication systems.

Rep. Yvette Clarke, D-N.Y., the committee's ranking member, asked panelists on Friday whether the U.S. power grid could be "air-gapped," a technical term for making something completely secure by removing any connection to external systems, including the Internet.

The power grid is so expansive that it would be impossible to remove all external connection, Gerry Cauley, president of the North American Electric Reliability Corporation, a utilities industry group, said. But power suppliers have become adept at monitoring the external sites they work with to ensure they're as secure as possible, he said.

While many of its operating elements are run through the Internet, Cauley said, the power grid itself is offline and protected by several redundant systems.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.