Breach Notification , Governance & Risk Management , Incident & Breach Response
Cybersecurity Coordinator: Don't 'Waste a Crisis'
Uses Anthem Breach to Promote Obama's Legislative AgendaWhite House Cybersecurity Coordinator Michael Daniel doesn't want to let a good crisis go to waste.
See Also: Forrester Top 35 Global Breaches Report: Balance Defense with Defensibility
The special assistant to the president for cybersecurity sees the cyber-attack against health insurer Anthem Inc., along with previous breaches at Sony Pictures, Target and Home Depot, as opportunities to promote the Obama administration's cybersecurity agenda. "I am trying to make the most of the phrase, 'never let a good crisis go to waste' and really drive toward putting in place some policies to make some improvements," Daniel said, referring to economist Milton Friedman's now-famous aphorism.
In the past month, the White House has outlined an aggressive cybersecurity agenda, including proposing a national breach notification law and legislation to encourage businesses to share cyberthreat information with the government.
Cybersecurity Summit Slated
Daniel's comments came during a Bloomberg-hosted webinar on Feb. 5, when he previewed the Feb. 13 White House Summit on Cybersecurity and Consumer Protection at Stanford University, which will touch on improving businesses' cybersecurity practices, as well as fostering the use of more secure payment systems.
The Obama administration wants the summit to advance efforts to share data between the public and private sector. Daniel said that one of his goals will be to take the amorphous term of "threat intelligence" and attempt to drill down into the precise data points that security experts believe need to be shared to demonstrably improve security. By pinpointing what needs to be shared, such as indicators of compromise, IP addresses and Internet traffic, Daniel said he hopes that Congress will be able to craft more precise legislation that assuages businesses' privacy concerns, while gathering the types of data that could help more U.S. businesses more quickly block or blunt cyber-attacks.
The White House has threatened to veto previous Congressional attempts to pass cyberthreat information sharing legislation on the grounds that they failed to put sufficient privacy protections in place, while granting overly broad liability protections to businesses (see White House Threatens CISPA Veto, Again).
But no one should expect that crafting cybersecurity legislation, and getting it passed, will happen quickly, Daniel acknowledged. For comparison purposes, he cited the failed attempt by U.S. armed forces to rescue hostages in Iran in 1980, which was ordered by President Carter. An investigation into the debacle recommended a significant number of Department of Defense changes, including overhauling the Joint Chiefs of Staff. But related legislation - the Goldwater-Nichols Act - wasn't passed by Congress until 1986.
Intelligence-Gathering Norms
When it comes to notions of state-sponsored hacking, Daniel said it's obvious that nations will use cybersecurity tools to wage espionage. "Yes, nation states are going to use cyberspace in order to achieve their foreign policy goals, and this should not shock anybody," he said. "When we invented boats, we invented navies. When we invented aircraft, air forces developed."
But the Obama administration has gone to great lengths to attempt to distinguish the type of online espionage the U.S. practices from the industrial espionage practiced by such countries as China. In particular, the White House has accused the Chinese government of targeting foreign intellectual property and then feeding it to their domestic businesses.
On that front, the White House wants to create some "rough rules of the road" for what constitutes acceptable governmental behavior in cyberspace. For example, he said that during the Cold War, the Soviet Union and the United States refrained from attempting to sabotage each other's critical infrastructure. That behavior wasn't the result of a formalized agreement, but rather an informal code of conduct.
That approach is tied to the just-issued federal government's national security strategy, which pledges to take the necessary actions to defend America's businesses and networks against the cybertheft of trade secrets for commercial gain, whether by private actors or the Chinese government.
"As more of the world comes online, we're leading an international effort to define the rules for how states engage with one another in cyberspace, while ensuring the Internet remains a powerful tool to drive future advances," National Security Adviser Susan Rice said in a Feb. 6 speech at the Brookings Institute. "At the same time, we are committing new resources to bolster the security of U.S. critical infrastructure, government networks and other systems against cyberthreats."
Reacting to Sony
The attempt to create norms for cyberspace behavior helps explain why the White House took the unusual step of attributing the hack against U.S. movie and television studio Sony Pictures Entertainment to North Korea (see How NSA Hacked North Korean Hackers).
But it's often not in the administration's interest to attribute attacks because doing so could foster debates in which some security experts question the government's conclusions, Daniel acknowledged. After the government attributed the Sony Pictures hack to North Korea, many security analysts questioned whether there was enough evidence to support that conclusion (see Report Claims Russians Hacked Sony). But there were three aspects to the Sony hack that made the administration decide to make that attribution public, Daniel said: It was destructive, coercive and an assault on free speech.
"While it may not have been critical infrastructure, it was an attack on one of our core values: freedom of speech," Daniel said, referring to the motion picture "The Interview," which hackers demanded Sony pull from release. "Yes, it may have been a Seth Rogan comedy this time. But next time it could be Bloomberg reporting on something that some country doesn't like. We didn't want this to be sort of handing the playbook for how you suppress speech in the United States."
(Executive Editor Eric Chabrow contributed to this story.)