Recently, the White House announced the creation of a new federal agency to coordinate the United States’ cyber threat intelligence. Here to comment on this news are four experts in the field of information security: John Gunn, Vice President of VASCO Data Security; Jonathan Sander, Strategy & Research Officer at STEALTHbits Technologies; Ken Westin, Senior Security Analyst at Tripwire; and Richard Blech, CEO at Secure Channels.
“Criminal hacking organizations have well developed methods of collaboration and information sharing. They trade information about vulnerabilities and weaknesses to make their attacks more successful, and they license hacking tools to each other. They collaborate in attacks and have a structured method to share in the profits. The intended victims need to have an equally effective method of sharing information and defense strategies, or they will forever be at a disadvantage.
“Having a single agency with primary responsibility for cyber-defense is a smart idea. Even those who are opposed to additional federal agencies will have to agree that reducing redundancies and adding accountability for directly measureable results is a positive move.
Free eBook: Modern Retail Security Risk – Get your copy now.
“Let’s face the facts. Foreign-based operatives are attacking American assets; no lives have been lost yet as a direct result, but the damage to U.S. interests is in the billions of dollars. The formation of this agency is an important step towards being able to launch retaliatory actions and establish a deterrent to attacking U.S. targets. Private investment in cyber security is important, but we also need the equivalent of ‘boots on the ground’ in our battle against cyber-terrorist and criminal hacking organizations.”
“If the Cyber Threat Intelligence Integration Center (CTIIC) can increase the level of information sharing in the digital security world, then that will be a very positive thing. However, it will rely on private sector participation, which means private sector cost, which will never get private sector funding without some teeth. No business will spend money to give CTIIC data from a sense of national pride. There will either need to be a motivating carrot or a regulatory stick. Perhaps some visionary private firms will see a future with less cyber threats interrupting business and decide to play along. These will be a vanishingly small percentage. Everyone in the security community knows sharing information leads to quicker, more effective responses to threats and incidents. But the security community doesn’t write the budgets. So as long as making the Cyber Threat Intelligence Integration Center’s rivers flow means drawing from the private sector’s wells of information, the government may find the levee is dry.”
“I think a lot of people are scratching their heads thinking, ‘We don’t already do this?’ I think one of the big challenges with inter-agency intelligence sharing will be internal politics that come into play; there has been a history of this within these agencies which has impacted the effectiveness of several cyber defense programs. I am also interested in seeing how the new agency will be staffed, for most agencies are already under-resourced given a limited talent pool, paired with the fact that those with the requisite skills can make much more in the private sector. Ensuring that the agency is adequately resourced and staffed is going to play a critical role in the success of any cyber threat intelligence program. The government has not had a solid record when it comes to developing large scale distributed information systems, not to mention ensuring that those systems and data are secured. All skepticism aside, I think it is a step in the right direction, and I am optimistic that the agency will help make an impact on securing the nation’s cyber infrastructure. It is a great idea that is long overdue, but the challenge will be in its implementation.”
“The Obama administration’s plan to establish a new agency to combat cyberattacks has great intent; the problem is the government does not move at the same rate as technology or the hackers. Unfortunately, businesses have consistently taken the path of least resistance in regards to cybersecurity. Security as an afterthought is exactly how we got into this mess in the first place. Businesses have the responsibility to protect their own data; opening up the control to the government opens up new vulnerabilities, from sharing trade secrets to recognizing responsibilities for protection. The hackers will arrive before the government can react – the only answer is to protect the data with the strongest encryption possible. When the data is stolen, at least the government can investigate the breach knowing the stolen data has not been compromised. As Amy Pascal has learned, the buck stops with the heads of the companies not the government.”