Cyber Legislation and White House Executive Orders
Out of frustration over Congress’ failure to pass a new bill on cybersecurity, the White House appears to be getting closer to an executive order to push through some actions. According to a copy seen by AP, the seven-page order “would direct US spy agencies to share the latest intelligence about cyberthreats with companies operating electric grids, water plants, railroads and other vital industries” to better defend against cyber attacks. It requires the Department of Homeland Security to set up a new information sharing network to send “tear-line reports” of sanitized summaries of classified intelligence reports.
This executive order would be a good step but it falls far short. Even the administration agrees an order isn’t enough, and still hopes for legislation in the next Congress.
Cyber problems are absolutely solvable but we are not currently on track to solve them.
For the past decades, the attackers have had nearly all the advantages, so it has been easier to attack then to defend. Increasingly it has become clear that to make cyberspace safe and secure we need to reverse this equation and make it easier to defend than to attack, globally. Sending a few tear line reports isn’t going to shift that balance, but it’s a start. Then again, if all we needed to make this happen was the say-so of the president, we should have done it ten years ago.
Earlier this year, I called for the government to “talk more and listen less” by declassifying threat signatures. Tear-line reports are actually a good first step to that, except for a few important missing items.
The government doesn’t like to share, especially the good stuff. By the time this intelligence makes it through the various rounds of approval for declassification, the intelligence may be of limited value, as the government found during a past sharing effort with companies in the defense industrial base.
The intelligence higher-ups will not want to share the intelligence that might limit their future collection opportunities, the “intelligence gain/loss.”
There are already numerous information sharing networks; if this effort creates yet a new channel, it will further confuse efforts.
The government will likely share this information in emails, rather than the machine-readable formats the private sector uses to automatically manage threat intelligence. Instead of just having their databases scoop up this intelligence, there’s a good chance they’ll have to pay someone to fat-finger the details.
To really make a permanent difference, the government should not call on DHS and the pntelligence community to declassify and share, but to make it mandatory and hold leaders accountable with inspections to ensure it gets done all the time, quickly. There should be an automated process to declassify signatures and only rare exceptions, to be approved by the most senior leaders. Else there is too great a risk that the process takes too long and releases too little, as seems to have happened in the DIB pilot. Much – even most – of the threat intelligence can be gleaned through unclassified sources, so fears about compromising sources and methods are often overblown.
A more permanent – and global – solution than tear-line reports is for the government to send threat signatures to a clearing house which brings together similar streams from all the main security companies and network service providers, anyone large enough to have a unique signature base. There is no reason such a clearing house could not also bring in signatures from the British, Canadian, Australian and other intelligence-sharing allies. The clearing house would then wash the signatures together to hide the source and after a suitable waiting period (to give some commercial advantage to those with the best signatures) they entire list would be shared with everyone that puts in. This solution is far more scalable and bolsters the existing global security market.
A popular commercial today shows devoted fans of a popular smart phone eagerly waiting for hours to get the newest version with all the things they were disappointed they didn’t receive in the last version. This feeling will soon seem familiar to both legislators and the White House.
Since it is unlikely that any forthcoming bill or executive order will fundamentally shift the characteristics of cyberspace to favor the defense, in just a few years we will face another big push for cyber legislation to get what we thought we were supposed to get in this version.
Jason Healey is the Director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. He is a former signals intelligence officer, executive director at Goldman Sachs Asia, and White House policy director. You can follow his comments on cyber cooperation, conflict and competition on Twitter, @Jason_Healey.