It would be a mistake to move control of public-private cybersecurity relations from a civilian agency to the Department of Defense, as called for in a recent executive order draft, experts told members of Congress on Thursday.
“I think ensuring that we maintain a civilian lead within the Federal government on cybersecurity is going to be absolutely essential as we move forward in this space,” said Robyn Greene, policy counsel and government affairs lead at New America’s Open Technology Institute.
Greene and other industry experts testified in front of the House Homeland Security Committee on Thursday. “One of the things that had been contemplated in the executive order is bringing the Department of Defense more into that work, and I think that would be a mistake.”
“I’d like to see a clear statement from the administration that there will be a civilian lead for continuing DHS, a civilian lead for the civilian cyber effort,” said Jeffrey Greene, senior director of global government affairs and policy at Symantec. “I think it’s important to send a message both to the companies that have developed relationships with DHS to know those are going to continue and also around the globe.”
Leaked copies of a potential cybersecurity executive order would have placed much of the responsibility for maintaining private sector cybersecurity policies in the hands of the Department of Defense, rather than the Department of Homeland Security.
“While I share the president’s desire to better protect critical infrastructure, directing the Pentagon to take on cybersecurity in the private sector would represent a radical departure from how the government manages cybersecurity,” said Rep. Cedric Richmond, D-La.
Robyn Greene added that currently the Cybersecurity Information Sharing Act (CISA) has overly broad language regarding the privacy and use of private sector threat information reported to the government.
Though DHS guidance has done much to mitigate the privacy and security risks, certain parts of the law cannot be amended by DHS regulation, according to Robyn Greene. In particular, the current law would allow law enforcement to use cybersecurity information shared by private companies in investigations unrelated to the reason for sharing. It would also allow for the president to establish a second portal for private sector information sharing, such as one within the military or law enforcement.
“Having that second portal would decentralize the information sharing process,” Robyn Green said. “I haven’t heard anything with regard to how the administration will be approaching changing DHS’s implementation of its guidance or sort of reopening CISA to amend these problems. I would certainly encourage Congress to start thinking about whether it would be possible to amend CISA to address those concerns, but most importantly, I hope that this committee will work to bolster DHS in its efforts to implement CISA in the manner that it has done, which is balancing privacy and security.”
Other witnesses said that Congress and DHS should look into relaxing their classification procedures for vulnerability information, which slow down the information sharing process and often cover data that does not pose a significant danger to national security.
“There is one instance where I think we can make improvement and it’s when there is a data classification around a government event. When there’s a government incident requiring data classification, we’re classifying too quickly,” said Scott Montgomery, vice president and chief technical strategist at Intel Security Group, explaining that incidents on unclassified systems or when that vulnerability is already on the dark Web should not be kept as secretly. “The context around the event makes it easy to decide what should be disseminated quickly and what should not.”
“I believe the U.S. government is never going to be quick at declassifying some of its most valuable information. What the U.S. government may not realize, however, is that we in the vendor community may see trial balloons of that most sophisticated technology in a few places in unclassified ways,” said Ryan Gillis, vice president of cybersecurity strategy and global policy at Palo Alto Networks.
Gillis did praise Congress’ ability to improve the information sharing capabilities between agencies like DHS and the private sector.
“The legislation that you have helped lead over the last several years has not only helped foster responsible cyber threat information sharing, it has also strengthened the statutory responsibilities and statutory authorities DHS has to execute its mission,” Gillis told the committee.