National Cyber Director: Liability Should Be Part of the Equation for Public-Private Collaboration

National Cyber Director Chris Inglis

National Cyber Director Chris Inglis Charles Dharapak/AP

Cyber leaders’ plan to emphasize collective defense over offense hinges on industry’s willingness to share information with government in real time.

Establishing a working public-private partnership to defend the nation’s critical infrastructure from cyberattacks should not mean granting companies immunity from liability when they fail to implement appropriate measures, according to one of the nation’s top cyber officials. 

“At the end of the day, if you've not performed well in this space, there will be consequences. There should be liability,” National Cybersecurity Director Chris Inglis said.

Inglis spoke during a McCrary Institute event Tuesday along with Cybersecurity and Infrastructure Security Agency Director Jen Easterly, National Security Agency Cybersecurity Directorate leader Rob Joyce, FBI Deputy Director Paul Abbate and Berkshire Hathaway President Bill Fehrman.

The idea of giving certain owners and operators of critical infrastructure a level of protection from liability in lawsuits that could spring from successful attacks on their systems emerged from the congressionally mandated Cyberspace Solarium Commission. The non-partisan, public-private commission proposed liability protections in conjunction with those companies being required to implement appropriate security controls to defend themselves. The “systemically important critical infrastructure” entities, as they would be termed, would also receive federal resources and intelligence and likewise share their insights back with the government.

But recent efforts made in the name of the idea have excluded crucial aspects of the original proposal. A bill from Rep. John Katko, R-N.Y., for example, looks to identify systemically important critical infrastructure for the purpose of providing access to a recovery fund but doesn’t address commensurate cybersecurity standards. It also didn’t address the liability or information-sharing issues.       

But as debates continue in Congress, leading cybersecurity officials are pressing on with other aspects of the idea. 

“For the most part, if you perform well in this space, you're not alone. You're not standing kind of alone with your own resources, your own insights,” Inglis said. “If you perform well, faithfully, diligently in this space, you deserve the collective action of the crowd that’s standing to the left, to the right of you.”

At CISA, Easterly has been promoting the Joint Cyber Defense Collaborative, which she created in the spirit of the Solarium Commission recommendation.  

“It has to be much more than partnership,” she said “It has to be working together in what Chris [Inglis] would call professional intimacy in real time, sharing information that's more than just information. It's enabling data to allow us to deal with a constantly evolving threat environment so that we can actually reduce risk and get back to a place where defense dominates the offense.” 

The federal government has arguably long-established arrangements like the JCDC for public-private collaboration. The FBI’s National Cyber Investigative Joint Task Force has been around since 2008 and describes a very similar mission, for example. 

One element that could set the JCDC apart is the Joint Collaborative Environment. Championed by Rep. Jim Langevin, D-R.I., a member of the Solarium commission and chair of a key Armed Services Committee panel, the JCE involves a shared cloud to enable real-time data sharing and analysis between the government and private companies.  

The JCE was included in the House version of the 2021 National Defense Authorization Act but fell out of the bill after opposition from the Senate side. A democratic aide told Nextgov they basically ran out of time to convince certain offices under competing priorities during the pandemic.  

Speaking at a Carnegie Endowment for International Peace event last month, Langevin said he is optimistic the JCE will make it across the finish line in this year’s NDAA.

“Our information sharing and any subsequent analysis of that information is going to be substantially less effective without, for example, a common tool set for analyzing cyber data … entities need to be able to make sense of the data coming from different sources around the cyber ecosystem and JCE would basically provide an environment for analyzing information on cyber threats, cyber security risks and malware forensics,” he said, noting with regard to his legislation. “I think we’re going to fare much better this time.”