America's cyber blind spot
“The warning lights are blinking red again.” That’s is how then-Director of National Intelligence Dan Coats described the cyber threat to America’s critical infrastructure last summer. His word choice evokes more meaning this time of year — it was the same phrase employed by former CIA Director George Tenet during his now infamous testimony months before the attacks on Sept. 11th.
Coats’s words should be enough to worry any American. The scary part is he couldn’t know the worst of it.
That’s because nearly 90 percent of America’s critical infrastructure is privately owned and operated and thus beyond the reach of the U.S. Intelligence Community. This includes our power generation and distribution facilities, water and wastewater treatment plants, transportation systems, oil and gas pipelines, and telecommunications infrastructure. The federal government is not authorized to monitor or “hunt” for threats on these networks and therefore has limited visibility into their exposure to cyber threats or active intrusions by hackers.
Yet even in the absence of visibility into these networks, the nation’s top intelligence official warned with confidence that “the digital infrastructure that serves this country is literally under attack.”
During my tenure in government I thought I had a solid grasp on the cyber threats to our critical infrastructure. The truth is my understanding is far better now that I’m employed in the private sector than it ever was during my time in government. The U.S. Intelligence Community is the best in the business when it comes to processing information and converting it into intelligence through rigorous analytical tradecraft.
But producing valuable intelligence starts with collecting raw data. And when it comes to cyber threats, the majority of raw data resides in private hands.
Nearly two decades after 9/11, therefore, our ability to confront a new threat is once again hindered by the presence of data stovepipes.
This time the threat is non-kinetic and instead of a compartmented and siloed federal bureaucracy, we have a gaping information-sharing divide between our public and private sectors.
Congress has debated this issue before, and in 2015 President Obama signed the Cybersecurity Information Sharing Act to make it easier for private companies to share data on cyber threats with the U.S. government. But two years later, only six non-federal entities had elected to provide data to the Department of Homeland Security in accordance with the law.
While the law provided a communications and legal structure for private-public information sharing, it fell short on the incentive structure. The problem is straightforward: American industry is not properly incentivized to share cyber threat information with the government to enrich its analysis and inform better policies and decisions related to our national cyber security.
Rather than relying on good will and patriotic benevolence to jumpstart the flow of information from private the public, the U.S. government should consider sourcing cyber threat information from the private sector the same way the Intelligence Community sources information from human assets — the almighty dollar. One idea is to create a federal marketplace for cyber intelligence — an open and accessible venue for companies to sell cyber threat information to the U.S. government.
A federal marketplace for cyber threat information would help offset the extraordinary costs that industry is already absorbing to thwart cyber attacks from nation-states. Furthermore, it would align national intelligence priorities with industry’s cyber security investments, thereby transforming the private sector into a force multiplier. Suddenly the value proposition to companies would be crystal clear. Not only would they receive dollars for their data, but they would also benefit as consumers from the finished intelligence products. In this respect, cyber intelligence sources from industry would not carry the same restrictions on distribution that apply to the intelligence derived from the U.S. government’s sensitive sources and methods. This two-way street of information sharing alone would be enough to incentivize many companies to participate.
Detractors would no doubt call this the militarization of industry. But industry has already assumed the burden of national defense when it comes to cyberspace. This marketplace would simply subsidize the cost of this endeavor and allow for a more equitable cost sharing relationship between the public and private sectors.
According to the Pew Research Center, the vast majority of Americans expect a major cyberattack against our critical infrastructure or financial system in the next five years. If they’re expectations were realized tomorrow, the after-action report would undoubtedly evoke some of the same themes from the 9/11 Commission Report and cite a lack of information sharing as the culprit.
We must learn from the lessons of the past and adapt them to the future. It’s time for a creative and market-driven solution to bringing together our public and private sectors on cybersecurity.
Three former secretaries of homeland security dating back to the Bush Administration recently used the venue of a Congressional hearing — set on the hallowed ground of the National Sept. 11th Memorial Museum — to call lawmakers to action on the cyber threat. As former Secretary Janet Napolitano said, “In the cyber arena, we have all these red flags now, we shouldn’t suffer from a failure of imagination.”
Dave Weinstein is the Chief Security Officer at Claroty and a Visiting Fellow at George Mason University’s National Security Institute. He previously served as Chief Technology Officer for the State of New Jersey; before that, he served at U.S. Cyber Command.