As we all know, cybersecurity is very hard to legislate. Everyone agrees on the overall principle, but when it comes time to hammer out the details and set the course, agreement becomes difficult. That has been changing, however, and I am optimistic that 2015 is shaping up to be a year of continued focus and positive legislative moves in the area of cyber.
In the wake of major breaches across several industries in 2014, Congress and President Obama took the first step by passing several bills related to cybersecurity. The new National Cybersecurity Protection Act (NCPA); Cybersecurity Enhancement Act of 2014 (CEA); and Federal Information System Modernization Act of 2014 (FISMA 2014); Cybersecurity Workforce Assessment Act (CWWA); and, 5) Border Patrol Agent Pay Reform Act (BPAPRA) all address federal government functions with respect to cybersecurity. As my colleague Matt Dahl, Crowdstrike’s Manager of Global Threat Intelligence and Legal Counsel, stated in a recent Security Magazine article, the CEA appears to be the most significant in both breadth and significance. As Matt concluded, “This bill covers a wide range of topics, to include research and development, and education and awareness. However, it is in the area of public-private collaboration that the new law is apt to have the most impact, since it empowers the National Institute of Standards and Technology (NIST) to facilitate and support the development of voluntary cyber security standards for critical infrastructure organizations.”
This is an important move and one that we are happy to see. In fact, these laws may have more impact now given the Obama Administration’s recent development of a new Center designed to address cyberattacks. The National Cyber Threat Intelligence Integration Center (CTIIC), according to Lisa Monaco, assistant to the president for homeland security and counterterrorism, “will help ensure that we have the same integrated, all-tools approach to the cyber threat that we have developed to combat terrorism.”
While there is some debate about the need for yet another government entity, I see this overall as a positive move and one that shows the import being given to the area of cybersecurity. Ms. Monaco explained that she has “long thought that the lessons learned from fighting terrorism can be applied to cybersecurity. She saw that as a policymaker she could quickly receive an intelligence community assessment on the latest terrorism threat from CTIIC, but that was not possible in the cyber realm.”
Last year’s high-profile breaches, including the Sony incident, were the impetus behind the CTIIC., Still, the question remains whether the underlying debate about information sharing will make or break all of these efforts. There are strong advocates for safe harbor protections for companies that share information with one another and with the government. Nonetheless, others are seeking to better understand whether safe harbor provisions are actually needed (what laws currently impede information sharing?) and beneficial (will companies really share more if they get legislative relief?). Regardless of the outcome of that debate, it certainly would make sense for the Government to prepare and release a report on information sharing and collaborative efforts that already are working, and then accelerate those models with an eye on maximizing the related personnel, budget, technology, policy, and statutory drivers. CrowdStrike also was proud to join President Obama earlier this month when he met with a number of tech leaders of private companies (including our co-founders George Kurtz and Dmitri Alperovitch) and signed an information-sharing Executive Order to encourage private companies to share information with the government. It has never been more critical that the private sector work with the federal government to break down barriers to information sharing and to foster collaboration when confronting today’s escalating cyber threat.
The power of the crowd is enormous, and working together we can vastly improve our security posture both domestically and abroad. I agree with our Magic 8 Ball. The outlook for renewed cybersecurity efforts in 2015 is good.