Chertoff spoke next, and indicated his agreement with McConnell’s remarks. He suggested that the criticism of cyber “hype” is largely misplaced, and pointed to the case of Nortel (which was recently found to have been the subject of cyber thefts over a ten year period), Stuxnet (and potential uses of similar technology to inflict harm on US critical infrastructure), and the rise of groups like Anonymous as examples of the gravity of the threat environment. Chertoff said the cyber battlefield is all over, and is most felt by the private sector, whom he considers both a combatant and a target. On the legislation, he said three core elements are necessary: information sharing (which he called “foundational”), liability protection and incentives, and standards setting and requirements for critical infrastructure. He suggested that market forces are inadequate for this threat, and provided the following example: a $1 million enterprise won’t spend $10 million to safeguard their systems – to them it’s just not worth it. Nevertheless, a failure of those systems could lead to damages of hundreds of millions of dollars. The market can’t sufficiently address that.
The senior legislative staff spoke next, each defending the legislation they were working on. They were quick to point out that where the market operated properly they wanted it to continue to do so.
Corcoran, with the House Intelligence Committee, touted the Defense Industrial Base (DIB) Pilot as a workable foundation and what led the Intelligence Committee to adopt a similar approach with the Cyber Intelligence Sharing and Protection Act. He said committee staff spoke with industry and tried to figure out what obstacles they faced in terms of effective information sharing; the committee then sought to remove as many of those barriers as possible.
Gronberg, who works for the Homeland Security Committee, said that their approach with the National Information Sharing Organization (NISO) would work well because it pools information and expertise into a single clearinghouse. He suggested that it would also help to facilitate a common operating picture for industry and agencies.
Rossi agreed that the common operating picture would be a “game changer,” but said it would require all sorts of information sharing procedures (seemingly endorsing what the Senate bill and both House bills offered).
On this note, McConnell raised an alternative or possible addition: since NSA is at the heart of the cyber realm, task it with establishing an all-source information center, and provide security clearances for ISPs and other stakeholders – bring them in to participate. With respect to the NSA, he also suggested a potential avenue could be for the agency to scan domestic traffic for malware, but forbid it from examining content on those networks. Upon prompting from the Wall Street Journal’s Siobhan Gorman during the Q&A period, the other panelists mildly took issue with that idea, noting that while NSA’s capabilities are superior, highly sophisticated, and necessary for safeguarding US systems, domestic networks ought to be the domain of DHS. As it stands now, McConnell later added, if NSA sees an inbound threat aimed at a private sector asset, it is only authorized to “write a report about it.” The unstated implication seemed to be that those restrictions need to be changed.
Chertoff made an interesting point regarding the tools that “the adversary” uses against government networks and critical infrastructure systems. He began by noting that opponents often use the cheapest, least sophisticated tool in their arsenal, and only pull out the “big guns” (my words) when necessary. He argued that setting standards and enacting other measures that enhance security forces the opponent to bring out those big guns. This allows us to get a look at the equipment and adapt to it, thereby further improving our security. McConnell added that if the intelligence community does its job, “we’ll know the malware” before its revealed and have already adapted to it.
On the matter of potentially devastating cyber capabilities and the potential disincentive for countries like China or Russia to employ them (mostly because the catastrophic harm that such weapons could yield would undoubtedly cascade and affect them as well), McConnell said there is a strong fear of the potential consequences from such capabilities leaking to more aggressive, less prudent opponents.
The discussion closed with a request for predictions on the outcome for this legislation, which no one seemed comfortable offering.
You can watch the event in full here.