Effective cybersecurity information sharing comes down to human relationships and trust. But a never-ending series of leaks of classified information about NSA surveillance activities, made possible by former contractor Edward Snowden and sensationalized by the national news media, has dealt a major blow to the public-private partnership required to protect critical infrastructure, cybersecurity experts warned.
“The Snowden unauthorized disclosures took the wind out of the sails of what was a growing agreement [in the U.S.] that the National Security Agency had a very direct role to play in supporting the Department of Homeland Security and providing actionable cyber-threat information,” said Larry Castro, a 44-year veteran of NSA whose last government post before becoming a managing director at The Chertoff Group was as the NSA representative to DHS.
Congress had been deeply engaged in a heated debate about cyber-threat information-sharing legislation when the Snowden leaks became public in June. And while lawmakers have been unable to pass meaningful cybersecurity legislation, many did finally agree to a central information sharing role for NSA because of the agency’s unmatched capabilities in cyberspace. But Castro and others said progress is now threatened and could take years to recover.
“So now whatever time the Congress is spending on cybersecurity, it’s not in the context of promoting information sharing; it’s in the context of ‘what can we do to restrict NSA’,” said Castro, speaking during a panel discussion hosted by the Industrial Control System Information Sharing and Analysis Center. Recovering from the disclosures, which Castro said have been completely misrepresented in the national media, will require “a very slow, painstaking” effort to inform Americans and Congress about the legality and necessity of the NSA programs.
“For our nation to be competitive, there will have to be certain authorities re-validated for the National Security Agency,” he said.
But things may be more difficult on the international stage, where cultural norms and privacy policies often differ from the U.S.
“It’s not only the laws that are a barrier; it’s also culture,” said Margarete Raaum, deputy CSO at the University of Oslo in Norway and a member of the board of directors of the Forum of Incident Response and Security Teams, an international confederation of cyber-incident response teams. “Some cultures are more trusting than others,” she said. “Some are more trusting internally and some are more trusting to other external people. This is hard to fight. It’s kind of a prisoner’s dilemma — who’s going to share first?”
Making matters worse is the fact that governmental sharing hubs are now at a disadvantage because of the public’s concerns about surveillance, Raaum said. “We need to know not only who people are, but also a sense of the other party’s benevolence,” she said. “We need trust and trust is about becoming vulnerable. Cooperation is not the same as trust.”
But Peter Allor, a security strategist at IBM Federal and also a member of the FIRST board of directors, is less concerned about the impact the NSA leaks or governments may have on global cyber-threat information sharing. For Allor, information sharing is about people who’ve learned to trust each other over years.
“Information sharing and trust are not based on nation states,” Allor said. “You talk to people you know. Sharing is not a technology either. Sharing is a relationship.”