More work needs to be done to strengthen the alliance between the private sector and the U.S. Department of Homeland Security in combating cyber attacks, private stakeholders testified at a House Homeland Security subcommittee hearing Wednesday.
“In the cyber domain, we are constantly learning new lessons, and it is only by incorporating that knowledge into existing programs and processes that we can continue to move towards greater collaboration and better secured networks,” U.S. Rep. John Ratcliffe, chairman of the Cybersecurity and Infrastructure Protection Subcommittee, said in opening remarks.
“Because while the private sector is on the front lines of our cyber challenges, the federal government, and DHS in particular, has an important role to play as a force multiplier to provide the private sector with every advantage available to defend itself,” he added.
A large focus of the testimonies centered around strengthening current information-sharing programs and implementing proper responses to all types of cyberattacks.
“DHS deserves much praise,” Scott Montgomery, vice president and chief technical strategist of the Intel Security Group at Intel Corp., said. “It manages a thriving number of public-private partnerships that serve the national interest. At the same time, real time information sharing needs to be implemented on a grand scale, IT procurement rules should be updated, DHS partnerships need to be benchmarked against other successful ones on a regular basis and additional incentives should put in place to help grow the information sharing eco-system.”
Montgomery said that even with DHS updates, the challenges cyber faces today are too large for one company to fight alone.
“Cyber defense initiatives peak shortly after release and degrade quickly thereafter,” he said. “No one company or entity can have a catch-all infrastructure to combat that.”
As the Trump Administration continues to settle itself on the national stage, Ratcliffe said, there is an opportunity to assess and reevaluate what policies must be strengthened to improve cyber defense.
Daniel Nutkis, CEO of the Health Information Trust Alliance, or HITRUST, said a main priority is guidance.
“We want to know what the expectation is for our role in the cybersecurity realm,” he said. “We are willing to step up and provide, connect and share. But we need to have the guidance to clarify what we can use to connect and share, how we can do it to foster these partnerships.”
Nutkis also said that, within the infrastructure framework, each industry must have its own and it must be noted that a one-size framework will not fit all demands.
Trained labor and an incentivized workforce were at the top of Montgomery’s priority list.
“As we’ve talked about the size and scale of the cyber footprint impact on our lives, it grows every minute and we have not been able to keep up in the quantities we should,” Montgomery said. “We cannot out-labor this one person at a time.”
At the same time, he said, there should also be a focus on the need for reduced labor. Automation that works at machine speed cannot be outmanned, he said, leaning on the possibility of more research and development for the Automated Indicator Sharing (AIS) program.
“This program allows both the private and public sectors to share indicators of compromise and mitigation with each other,” Montgomery said. “While the overall program has been a strong step in the right direction, it still provides far too little real value. Today, AIS does not provide a means for enriching the information it shares.”
Nutkis added that information sharing, though still minimal, has been moving in the right direction with the help of government partnerships.
“With programs like AIS, our experiences have been quite positive,” Nutkis said. “There are a lot of companies that are sharing and it’s not as effective as it could be, but we’re in a much better place than we were, say, five years ago.”
Ryan Gillis, vice president of Cybersecurity Strategy and Global Policy at Palo Alto Networks, shared the opinions of his fellow panel members on the operational side of cyber, but also highlighted the programmatic challenges that are faced in current engagement between the public and private sectors.
“On the programmatic side, this seems simple,” Gillis said. “But there are challenges to just onboarding for these companies working with the government. They’re short staffed and need to build trust, so making that process as easy as possible would be helpful.”
In final remarks, it was said that one of the biggest rifts between the the private sector and DHS is where cyber attack attribution rates on the list of prioritized tasks.
“Attribution is not as relevant for us in the private sector,” Nutkis said. “We obviously want to know what the threat is and how large it is and what we can do to protect. But right now it’s nothing more than an interesting fact on the industry level.”
Montgomery added that now is not the time to focus on attributing cyber attacks when there is no course of protective retribution.
“Attribution is a step that people are prioritizing more heavily at the wrong times,” Montgomery said. “It’s like choosing what carpet to put in when the house is still on fire. It should be far further down the tracks so we can make sure it doesn’t happen again, or make sure that we have a way to combat it, before we figure out who did it.”