Exchanging information on cyberattacks is the single best way to prevent them, a panel of experts told a Senate committee on Wednesday.
The Senate Homeland Security and Governmental Affairs Committee met to discuss ways Congress can help the business community, as well as government agencies, protect themselves from cybercrime, which can run the gamut from attacks on social media sites to wholesale data breaches and financial theft.
The recent high-profile hack of Sony Pictures Entertainment, along with an overall spike in cyberattacks worldwide, has revived calls for legislation to help businesses, consumers and the government protect their digital infrastructure.
“Over the past year alone, we saw cyber-attacks on [Sony and] retailers like Target, Home Depot and Neiman Marcus, and U.S. government systems,” committee chairman Sen. Ron Johnson (R-Wis.) said. “[We need] to develop an understanding of the reality of the cybersecurity threat, what businesses can do to better defend themselves and what they need from the federal government.”
Sen. Tom Carper (D-Del.), the committee’s ranking member, called the attack on Sony, in particular, a “turning point” that served to magnify the threat of such crimes and make cybersecurity a top priority for Congress this year.
$445 Billion Dollar Drain
While there’s some disagreement over how best to go about it, there appears to be universal support for the idea that sharing information among the private and public sectors is crucial to stemming the growing threat of cyberterrorism.
And that threat — whether from organized crime, lone hackers or state-sponsored infiltrations from enemies of the U.S. — is indeed growing, and will continue to grow in the years to come, experts say.
“[The] global cost of cybercrime has reached over $445 billion annually,” Gregory T. Nojeim of the nonprofit Center for Democracy and Technology told the committee, citing a 2014 study. “And the average cost of cybercrime to each of 50 U.S. companies surveyed [came in at] $12.7 million per company.”
That’s up from $6.5 million per company just four years ago, Nojeim said.
He added that the frequency of attacks also is on the rise, growing 144 percent since 2010. And the average time to resolve them has grown, too, rising by 221 percent.
Perhaps more ominous is the average length of time — 205 days — it takes before a company even notices their systems have been compromised, according to Richard Bejtlich, chief security strategist at cybersecurity software maker FireEye.
“That means that, for nearly 7 months after gaining initial entry, intruders are free to roam within victim networks,” Bejtlich said.
The hearing took place a little over a week after President Barack Obama made cybersecurity legislation a priority in his State of the Union Address. It represents a rare point of agreement between the president and both parties.
Whether Republicans and Democrats can agree on the details of such legislation, however, is another matter.
The president’s proposal would offer incentives to companies to share information with one another and with the government, and would require them to strip personally identifiable information from any data they share.
Still, the White House plan falls short for some, largely because it does not offer companies protection from being sued for disclosing sensitive data to other companies or the government. Even with personal information deleted from shared information, the threat of legal consequences remains a very real concern for businesses, the witnesses said.
“The White House proposal does little to encourage company-to-company information sharing — it extends no liability protection for this sharing — and this is a significant shortcoming,” Nojeim said.
Indeed, business executives who testified at the hearing said that while the president’s proposal does make headway on the issue, the absence of liability protection would stymie efforts to get companies to freely share data with other businesses and the government.
“Legislation that provides targeted protections is sorely needed,” explained Marc D. Gordon, executive vice president and chief information officer at American Express. “Protections from liability and disclosure [would make] entities across sectors more willing to share key threat data.”
All of the witnesses at Wednesday’s hearing said privacy concerns among Americans and civil liberties groups is another obstacle to data sharing and cybersecurity legislation.
The revelations by NSA document leaker Edward Snowden about the agency’s domestic spying program have left many companies wary about sharing sensitive data with the government.
Hoping to address those concerns, Obama’s proposal includes at least one change from past efforts. The White House plan would make the Department of Homeland Security, not the NSA, the go-to agency for companies to contact with cyber threat information.
The NSA’s mission, Nojeim pointed out, often puts it at odds with those trying to prevent cyberattacks and plug holes in security.
“In addition to its mission of defending information security, the NSA is also tasked with gathering intelligence — including through [online] vulnerabilities,” he said.
If the NSA receives information about a cyber threat from a company or other agency, for instance, it could “hide and exploit the vulnerability,” Nojeim said, “instead of disclosing it to those who could patch it.”
Contractors On Board?
One committee member on Wednesday said that while sharing between companies and the government is key, an often-overlooked safeguard is just as crucial — making sure a company’s contractors and vendors are as conscientious about cybersecurity as the companies they’re working for are.
Sen. John McCain (R-Ariz.) pointed to the infiltration two weeks ago of some of the U.S. military’s social media accounts, which are operated by private contractors. Hackers sympathetic to, or working with, Islamic militants apparently gained control of a YouTube channel and Twitter feed and used them to threaten American troops and post the names and addresses of several top Pentagon generals.
“It is absolutely crucial that outsourcing contracts have requirements for security and privacy,” Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing Group, said in responding to McCain’s point.
Added Peter J. Beshar, executive vice president and general counsel of Marsh & McLennan Companies: “A large company’s defense is only as good as the weakest link amongst its vendors.”