There was a familiar refrain on Capitol Hill Wednesday: In order for Congress to pass meaningful cybersecurity legislation, it needs to strike the right balance between security and privacy when it comes to information sharing.
A number of private industry cybersecurity experts testified Wednesday before the Senate Homeland Security and Governmental Affairs Committee on how the U.S. government can better serve the country’s cybersecurity landscape in the wake of growing attacks. While the experts said bills like the Cyber Intelligence Sharing and Protection Act (CISPA) or President Barack Obama’s proposed Personal Data Notification and Protection Act are a good start, the process by which private companies exchange information with the government needs to be refined.
Greg Nojeim, the director of the Freedom, Security and Technology Project at the Center for Democracy and Technology, told the committee that while there is “no silver bullet that will wipe away the danger of cyber attacks,” an information-sharing bill cannot set a policy that “evolves into a surveillance program.” Nojeim said a bill must “narrowly define information that can be shared, and only that which is necessary to describe a threat.”
Exactly what information can be shared has been a hang-up in past versions of CISPA — the idea that a company can swap personally identifiable information with the government upsets privacy advocates. A new version of the bill was introduced in the wake of last year’s cyber attack that crippled Sony Entertainment.
While a number of experts who testified Wednesday said simple remedies like patching networks and better user training could help mitigate cybersecurity risks, Richard Bejtlich, chief security strategist for FireEye, said the speed at which attackers are detected needs to greatly improve. He noted that last year the median amount of time between a hacker breaking into a system and when the system’s owner was alerted was 205 days.
“Network hygiene only gets you so far,” Bejtlich said. “In 70 percent of cases, someone else — usually the FBI — tells a victim about a serious compromise.”
Bejtlich then recommended that any new information-sharing regulations measure intrusions that occur in given year as well as the amount of time between when an intrusion happens and when a company notices.
Marc Gordon, chief information officer of American Express, added that legislation should have an emphasis on real-time sharing, contain liability and disclosure protection for companies that act and share threat information, and extend protections to allow for more sharing between government and private entities.
“Effective information sharing can have the single highest impact, lowest cost, fastest-to-implement capability we have at hand as a sector and a nation to rise the level of capability against the many threats we face,” Gordon said.
Committee members were receptive to the witnesses’ suggestions. Multiple senators asked how they could improve the government’s practices.
“It’s remarkable to me how many mistakes we make,” said Sen. Cory Booker, D-N.J., referring to cyber hygiene. He said he and his staff have recently embraced multifactor authentication.
Sens. Joni Ernst, R-Iowa, and Kelly Ayotte, R-N.H., asked whether embracing cloud computing could affect a company’s cybersecurity risk. Scott Charney, vice president of Microsoft’s Trustworthy Computing Group told the lawmakers that information from the cloud runs the same privacy and security risks as any other system.
“People ask me if the cloud is good or bad for security; the answer is yes,” Charney said. “It’s important to understand in the cloud model, you have a multitenanted environment. You have a lot of customers using the same cloud service, which makes it a very rich target. We do things to make sure our customers’ data is segmented from one another to prevent that lateral movement.”
Charney continued, elaborating on the public mindset that has sunk prior information-sharing bills.
“If we don’t protect the privacy of that information [in the cloud], then what happens all over the world is people say, ‘So I can use a local provider, right? Because if I use your cloud, you’re just going to give all our data to the U.S. government,'” he said. “What will happen over time is American IT products and services that have been so successful around the world, in other parts of the world, people will say, ‘Maybe we’re better off with local tech.’ That, in the long term, would be a terrible thing.”
Watch the full hearing here.