Cybersecurity up for Discussion in Nashville

Last week, the Senate passed the Cybersecurity Information Sharing Act of 2015, or CISA, 74-21. The bill is essentially an information-sharing bill, designed to allow companies that are hit by a hacker to share information--called “cyber threat indicators”--with the U.S. Department of Homeland Security, or DHS. DHS can then put out an alert, share suspicious code and warn other firms about the threat. 

The House passed its own version of the bill—Protecting Cyber Networks Act—back in April. 

In a statement released Oct. 22, Pres. Obama pledged support for CISA. 

“An important building block for improving the nation’s cybersecurity is ensuring that private entities can collaborate to share timely cyber threat information with each other and the federal government,” he said.  

But the cybersecurity bill is highly controversial, with critics claiming it will allow intelligence agencies to invade a citizen’s privacy without a warrant and focuses on the wrong aspect of cybersecurity by not setting up security standards for companies. 

Through the Center for Internet and Society at Stanford Law School, a group of more than 60 technologists, academics, and computer and network security professionals wrote a letter to congressional leaders in April, expressing their concerns with the bill. 

“We do not need new legal authorities to share information that helps us protect our systems from future attacks,” the letter stated. “Generally speaking, security practitioners can and do share this information with each other and with the federal government while still complying with our obligations under federal privacy law.”

“This excess sharing will not aid cybersecurity, but would significantly harm privacy and could actually undermine our ability to effectively respond to threats.”

Cybersecurity is not just a hot topic in Washington, D.C., but also in statehouses across the country. 

“It’s not a matter of if a (cybersecurity) breach will happen, but when,” said Brenda Decker, Nebraska’s chief information officer. 

At the CSG Cybersecurity Public Policy Academy held earlier this year in Missouri, Doug Robinson, executive director of the National Association of State Chief Information Officers, presented information from a 2014 Deloitte-NASCIO survey that asked state information chiefs the major barriers their state faces when addressing cybersecurity. 

“Increasing sophistication of threats is number one,” said Robinson, “followed closely by lack of adequate funding.” 

The survey found that 78.9 percent of state chief information officers thought the increasing sophistication of threats was a major barrier in preserving state cybersecurity, followed by lack of adequate funding (65.4 percent), inadequate availability of security professionals (61.5 percent) and emerging technologies (61.5 percent). 

Cheri Caddy, director for cybersecurity policy outreach and integration for the White House National Security Council, offered some insights to policy academy attendees from the federal perspective. 

“As President Obama noted recently, it is one of the great paradoxes of our Information Age that the very technologies that empower us to do great good can also be used by adversaries to inflict great harm,” she said.

Caddy agreed that increasingly sophisticated threats are a concern at both the state and federal levels.

“Unfortunately, the cyber threat is growing broader, more sophisticated and more dangerous,” she said.

Caddy said cybersecurity threats call for a new level of collaboration—across all levels of government and across agencies. 

“In the face of this growing threat, we are challenged by a mission that requires a uniquely diverse level of coordination among functions—including technology, law enforcement, defense and intelligence, homeland security and even first responders—and among all types and sizes of organizations,” said Caddy.

“The key to meeting the cybersecurity challenge will continue to be maturing coordination among these stakeholders, including sharing cyber threat information and defining roles and responsibilities for cyber incident response.”

To help state leaders better understand how states are addressing cybersecurity, CSG will host a conversation with Doug Robinson and others during the Intergovernmental Affairs Committee meeting on Saturday, Dec. 12 from 2:30-5 p.m. as part of the CSG National Conference in Nashville, Tenn. To register for the conference or to learn more, visithttp://www.csg.org/2015nationalconference.