While sharing cybersecurity information with the private sector is long overdue, the approach outlined in the Executive Order is fatally flawed. Cyber threats evolve rapidly and responding to them requires a degree of agility that governments have proven not capable of.
In summary, President Obama’s plan is to “encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs).”However, by directing his Secretary of Homeland Security to contract with a non-governmental organization to serve as the ISAO Standards Organization, the President is creating a new level of bureaucracy that will offer little value to the private sector.
Cybersecurity companies already collect, analyze, and sell the information Obama suggests ISAOs share. Firewall and antivirus vendors, who use their large install base as a distributed sensor platform, have no incentive to share information for free. Encouraging the creation of ISAOs does nothing to change this business reality.
Canada’s Cyber Security Strategy, introduced in 2010 by Vic Toews, former Minister of Public Safety, acknowledged the severity of the problem:
“Our systems are an attractive target for foreign military and intelligence services, criminals and terrorist networks. These groups are breaking into our computer systems, searching through our files, and causing our systems to crash. They are stealing our industrial and national security secrets, and our personal identities.
We don’t see them, we don’t hear them, and we don’t always catch them. At times they are mere nuisances. At other times, they present real threats to our families, companies and to our country.”
The Canadian strategy was “built on three pillars: Securing government systems; Partnering to secure vital cyber systems outside the federal government; and Helping Canadians to be secure online.”The Government of Canada has failed dismally on all three counts. A half decade has passed since the strategy was introduced. Entire government departments have been compromised, little has been done to help the private sector, and legislation claiming to protect Canadians has only served as a smokescreen for increased government surveillance.
If the country was under physical attack, citizens would expect the government to take immediate action to counter the threat. If a home or office is under attack, it is expected that law enforcement will intercede immediately. If governments genuinely desire to protect their citizens and their corporations from cyber attacks they would be taking real action.
Governments should be collecting information on cyber attacks, on a voluntary basis, and in real-time. In the physical world, law enforcement encourages citizens to report crimes and suspicious behaviour. By failing to provide the cyber equivalent, law enforcement sends the clear message that they simply don’t care. Ironically, cybersecurity-related information could be submitted to law enforcement electronically and processed much more efficiently.
Governments should also be freely sharing cybersecurity information with the private sector. Most sharing efforts have been extremely limited and directed toward critical infrastructure. However, this is akin to only providing police protection to businesses the government deems most important. This is simply unacceptable in a democracy.
According to the Canadian Federation of Independent Business (CFIB), small businesses with fewer than 50 employees represent 97.8 per cent of the total business establishments in Canada. Protecting these businesses is clearly in the national interest.
Contracting out the creation of new standards and encouraging the private sector to share and analyze cyber security information isn’t leadership; it’s an abdication of government responsibility.
Facebook, constantly criticized by privacy advocates, is poised to do more about the cybersecurity problem than both the US and Canadian governments combined. ThreatExchange is a good example of what we need today; a platform for security professionals to effectively share information. As Facebook wrote, “Learn about new threats; share threat information back; everyone gets more secure.”
There is an old saying, “Lead, follow, or get out of the way.”Governments are not leading. If they’re not going to follow, they should get out of the way.
Have a security question that you’d like answered in a future column? Email firstname.lastname@example.org.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…