After years of deliberation and debate, the Senate passed the Cybersecurity Information Sharing Act (CISA) this week. The bill aims to reduce cyber attacks by allowing companies to share cybersecurity threat data with the Department of Homeland Security and other federal agencies. If, as expected, the bill passed in the House and becomes law, CISA would facilitate the sharing of cyber threat indicators — the latest forms of malware, spear phishing campaigns, and known malicious domains — between the private and public sectors.
The bill’s looming passage is welcome news, as National Cybersecurity Month draws to a close, Cyber attacks now penetrate areas long considered sacred ground. In June, the U.S. learned Chinese hackers had breached the data of more than 20 million government employees. And last week, it surfaced that a teenager apparently used “social engineering” to access CIA Director John Brennan’s personal emails.
The stakes are growing by the day. Hackers are reportedly setting their sights on physical assets, including critical infrastructure like electric grids, transportation systems and telecommunications networks. Notably, almost 85% of our nation’s critical infrastructure is owned and operated by the private sector. Cyber attacks in the future are likely to extend far beyond credit card data and social security numbers to actual physical assets. To protect our critical assets, we need to bring government and industry together and see the benefits of public-private collaboration in thwarting them.
Given the rising threats, CISA becoming law would mark tangible progress in our nation’s fight against cyber vulnerabilities. It would also provide help to companies throughout our country.
In an April letter to Senate Homeland Security and Governmental Affairs Committee Chairman Ron Johnson, general counsels from more than 30 of America’s leading corporations – including American Express (GE), Ford (F), General Electric (AKAM), Lockheed Martin (LMT) and others – called on Congress to act quickly in advancing robust information sharing legislation (disclosure: I signed the letter on behalf of Marsh & McLennan). The passage of CISA would symbolize an important first step in bringing government and industry closer at a time when collaboration between the two parties is badly needed.
But that’s only one step. Trust between the public and private sectors have frayed on privacy issues. The Snowden scandal continues to loom large, and corporations and privacy advocates remain concerned about the way in which the government handles industry communications and customer data.
To build on the good faith and momentum engendered by CISA, further steps are needed. As an opening move by the government, the Department of Homeland Security, which has been tasked under CISA as the government’s portal to the civilian world, should invite a leading tech company to design the platform for sharing critical cybersecurity information. Building a scalable platform of this sort in a machine-readable, real-time format, is no simple feat.
Why should DHS consider a private sector partner? Because companies like Facebook (FB) have already demonstrated that this can be done successfully. In February, the social networking company launched its innovative ThreatExchange platform for the sharing of cyber threat indicators among and across the private sector. More than 100 companies — including Yahoo (YHOO), Microsoft (MSFT), Twitter (TWTR), Pinterest, Tumblr, and Dropbox – already participate. Last month, ThreatExchange facilitated more than 3 million interactions. In effect, this is cybersecurity social networking. And this is not the only private sector platform for cyber information sharing. Under the leadership of the Depository Trust & Clearing Corporation, the financial industry has developed a similar platform called Soltra.
Beyond functionality, the symbolic significance of DHS reaching out to a leading tech firm to construct this critical government system could ripple quickly, and powerfully, across the tech industry and beyond, serving as a valuable sign of good faith.
The government should also capitalize on mutual interests. Veterans offer a clear opportunity to do so. As I’ve argued before, veterans can play a vital role in bolstering our nation’s cyber defense. They can also help bridge the public and private sectors. Many of the top cyber experts in the U.S. come from the Air Force and other branches of the military. As more and more service members take off their uniforms, DHS and other agencies should partner with security firms to offer – and pay for – specialized training for veterans who want to enlist in a new battle against cyber incursions.
These three steps – passing CISA, partnering with the tech industry in the construction of this new platform, and training veterans – would go a long way in restoring trust between government and industry on privacy and the broader fight against cyber threats. America is the greatest tech nation on the planet. We need our entrepreneurs and innovators to be engaged in the battle – not on the sidelines. On issues from information exchange, to encryption, to cyber insurance and more, the private sector can serve as a crucial partner to the government in mitigating cyber risks.
As Congress prepares to approve CISA, government and industry should seize on new opportunities to restore trust and take crucial next steps in shoring up our nation’s cybersecurity.
Peter J. Beshar is Executive Vice President and General Counsel of Marsh & McLennan.