Large scale data breaches—such as the Office of Personnel Management data hack in 2014 that exposed the sensitive personal information of over 22.1 million Americans—have demonstrated an increasing need for advances in cybersecurity. The adoption of the Cybersecurity Act of 2015 has pushed private sector businesses to follow guidelines for improved cybersecurity while participating in information sharing with government agencies.
Earlier this month, the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies held a hearing to examine the perspectives of stakeholders in both private industry and government on how to improve implementation of the cybersecurity legislation.
The Cybersecurity Act of 2015 requires the Director of National Intelligence and the Department of Homeland Security (DHS), Department of Defense (DOD) and Department of Justice (DOJ) to develop guidelines to share cybersecurity threat information with the private sector and other federal agencies. The act outlines liability protection for agencies to share potential cyber threats and defensive measures with other organizations.
Witnesses testifying at the hearing raised questions about the clarity of the act while commending DHS on its ability to meet all implementation deadlines. DHS and DOJ issued updated versions of the information sharing guidelines before the subcommittee hearing.Witness statements were not updated to reflect the amended requirements.
Subcommittee Chairman John Ratcliffe (R-TX) said cybersecurity is important for protecting both the private sector and US critical infrastructure. He addressed confusion regarding liability protection and information sharing between private businesses and between private businesses and the federal government.
“We cannot tolerate acts of cyber threat and cyber warfare, especially when they result in the theft of intellectual property and innovation,” Ratcliffe said.
Founder and CEO of e-management Ola Sage said there is more clarification needed in order for small businesses to benefit from the guidelines.
“In the law itself, there are only two references to small business, which highlights that this law is not directly focused on small businesses,” Sage said.
Sage suggested that DHS consider the financial obstacles for small businesses to implement the optional portions of the information sharing guidelines.
Mordecai Rosen, General Manager of the Security Business Unit for CA Technologies, told Homeland Security Today that there are areas where the subcommittee could improve businesses’ ability to both comply and benefit from information sharing, particularly small businesses.
“Becoming a member of the information sharing program, it really has to be like joining Google Mail. It has to be very, very low-friction. There can’t be high cost for small business, there can’t be expectation on security expertise on small business,” Rosen said, adding that small businesses need more cost effective options in order to implement the recommended standards from DHS.
Rosen said small businesses face the enormous risk of intellectual property theft and need to follow the guidelines in order to protect their companies. Rosen said the Subcommittee will additionally have to address the cybersecurity of the proposed information sharing network.
Currently, DHS has implemented an Automated Indicator Sharing (AIS) program that makes sharing and exchanging cyber information between federal agencies and the private sector more convenient.
“Since this is effectively a threat intelligence network that we’re all going to be leaning on to provide us insight into upcoming threats, the infrastructure associated with the AIS program itself has to be well protected. It has to have administrative controls put out on it,” Rosen said.
Rosen addressed the importance of identity authentication within the system, stating that cybersecurity information is based on trust and highlighting the need for secure information standards. HE also explained how the system poses challenges to large businesses who must integrate the new standards into pre-existing security protocols.
“Currently it seems that some of the data (provided through AIS) is old and duplicative to current open sources, so we have to do that level of analysis because if we’re going to plug into it we have to make sure it has value,” Rosen said.
With hacking and data breaches on the rise, lawmakers are being faced with an increased need for cybersecurity policy and protocol, within both large and small businesses of the private sector and government agencies.
“There are two types of companies,” Ratcliffe said. “Those who have been hacked and those who don’t know they have been hacked.”