In February, the Obama Administration unveiled its latest National Security Strategy, and to no surprise, cyber threats are prominent on the list of concerns. The strategy stresses the government’s efforts to secure the nation’s critical infrastructure. But cyberspace—described in the report as a domain to be secured, adjoined to the familiar air, land, and sea—is a complex and fast-evolving frontier. And the breaches at Sony in late 2014 made it clear that the United States is vulnerable to intrusions. Properly thwarting attacks requires unprecedented cooperation between the public and private sectors.
The need for collaboration between the U.S. government and private-sector firms raises issues about privacy, as these companies are typically averse to sharing information. But in order to protect U.S. national interests, companies in the private sector must be compelled, through legislation, to report intrusions and allow the government access to their networks for security purposes.
For centuries, the United States seemed impenetrable. The two oceans that hug its borders protected the nation. It wasn’t until after Pearl Harbor that it realized it was, in fact, vulnerable to large-scale foreign attacks. Now, the U.S. is facing the possibility of another debilitating attack—and again it is one that people can barely conceive of. As a country, we are ill-prepared. In 2012, then-Secretary of Defense Leon Panetta noted that the U.S. might be at risk of facing a “cyber Pearl Harbor,” resulting in “physical destruction and loss of life.”
Even Director of National Intelligence James Clapper concedes the U.S. is not yet prepared to take on the growing cyber threat. And if the Sony hacks, which U.S. officials blamed on North Korea, taught us anything, it’s that foreign actors certainly have the capabilities to disrupt cyberspace in a damaging way. The U.S. needs to stop outlining general plans for combating these threats, and put in place an actual framework for defense.
A successful cybersecurity policy needs to include information sharing and reporting standards for private-sector companies. At present, there are no requirements for these firms to report intrusions at the national level. Standards that insist on reporting hacks, put in place by legislation, would help document breaches, identify weaknesses, and aid in minimizing risk. Further, allowing government access to private sector networks would help the appropriate agencies to monitor intrusions and develop stronger defense measures.
In February, Senator Ron Johnson (R-WI) stressed the importance of passing legislation that would enhance information sharing with regard to the private sector. “By sharing threat signatures, vulnerabilities and other indicators of network compromise, within and between the private sector and government, many cyber attacks can be prevented,” he said in a GOP Weekly Address.
In fairness, the Obama administration appears to be taking some steps toward addressing the problem. A number of new information-sharing initiatives were recently introduced by executive order. Notably, these initiatives call for a “Cybersecurity Framework,” which would include a set of standards that “align policy, business, and technological approaches to address cyber risks” and incorporate “consensus standards and industry best practices.” However, all of the steps laid out would be voluntary, and the language used is broad and unclear. In short, these steps are encouraging, but not enough.
Make no mistake: implementing standards that demand private-sector organizations—namely those that operate in the banking and technology spaces—to share information is no small feat. It will take cooperation—and probably concessions—from the government to bring everyone to the table. These companies, particularly heavyweights such as Google and Microsoft, need to be assured that allowing the government access to their networks will not result in any undue scrutiny or investigation into their business practices.
U.S. officials need to take a proactive role in bringing our standards for operating within cyberspace to a more definitive level through information-sharing legislation. The Obama Administration understands the need to collaborate with the private sector on cybersecurity, but it is coming up short on putting a plan into action. Even the most recent initiatives fail to present an adequately clear picture for the future. Formal legislation for information-sharing and reporting standards is the only way to ensure the safety of our networks. Without it, the U.S. is leaving itself open to attack.