Current and former policymakers admit it: The U.S. government needs do a better job sharing cyberthreat information with the private sector if it’s going to defeat increasingly complex cyberattacks from nation states.
The exchange of cyberthreat information between the government and companies was the cornerstone of a 2015 bill hailed as landmark legislation to protect against digital attacks. But more than two years later, these comments at a Cyber 202 Live event hosted Friday by The Washington Post reveal the U.S. government has an incredibly long road ahead to effectively implement the legislation. Officials are finally acknowledging they have been too focused on trying to get companies to share information with them -- and less on sharing with private companies who want threat intelligence the government detects.
“No company out there, no state out there is going to overcome this challenge by themselves. We have to work together,” said Christopher Krebs, undersecretary for the Department of Homeland Security’s main cyber unit, the National Protection and Programs Directorate.
“We have to be thinking more broadly,” added Tonya Ugoretz, director of the Cyber Threat Intelligence Integration Center, which tracks cyberthreats from within the Office of the Director of National Intelligence. “The U.S. government does not have the monopoly on intelligence when it comes to cybersecurity.”
Ugoretz said the government could create a more “holistic picture” of the threats it sees by forging new relationships with the private sector's cybersecurity industry.
“The more that we can create a dialogue and mechanisms for sharing information between government and private sector back in the other direction,” she told my colleague Ellen Nakashima at the event, “that will help all of us be better able to play defense against some of these efforts.”
The Cybersecurity Information Sharing Act created incentives for private companies to share their threat intelligence with the federal government. By giving them legal immunity and setting up a more formal repository for that information through DHS, the hope was that the exchange of information would better prepare the country to defend collectively against attacks.
But few companies are participating. As the website NextGov reported recently, just six nonfederal entities have signed up to share their data. Lawmakers who supported the legislation had expected the number to rank in the thousands, according to NextGov.
Still, the fact that they’re not sharing doesn’t mean there’s nothing to share. All industry sectors are facing widespread threats — and it's going to take a “whole-of-government” response to help them, panelists said.
“If you talk to [chief information security officers] who are in financial institutions, they shake a lot and they sweat and they don’t sleep much, because they are overwhelmed at the sheer level,” Mike Rogers, the former Republican chair of the House Intelligence Committee, told my colleague Carol Leonnig. “You used to have criminals only trying to get in — now you have nation-states trying to get in, which makes their job incredibly difficult.”
“And we’re all going to pay a price for that,” Rogers said. “Without a concerted effort this is only going to get worse.”
There have been hopeful developments of collaboration, panelists said. One major success story, Ugoretz said, was the government’s work with private cybersecurity researchers to investigate and attribute the devastating WannaCry ransomware attack to North Korea. In that instance, she said, private-sector researchers had detailed data on the cyberattack that they shared with DHS and the intelligence community. “We relooked at that data that came from the private sector and I think realized what we had,” Ugoretz said. “The importance was having the relationships and the trust to be able to go to different partners and say, 'This part of the community needs this piece of information that another part has. And also, to be that kind of nudge to the community.'”
Krebs also noted, for instance, that DHS and the FBI are working with Microsoft to investigate unsuccessful hacks on three congressional candidates that the company revealed last week.
But the panelists agreed a broader partnership is necessary.
“It’s not just about government working together — it’s about industry and government working together,” Krebs said. “We have to have integrated, cross-sector, government-industry collaboration in the cybersecurity space, in the critical-infrastructure protection space. And that’s where we’re going.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: A Foreign Intelligence Surveillance Act application to wiretap former Trump campaign adviser Carter Page released Saturday by the Justice Department said Page carried out “clandestine intelligence activities” for Russia, The Washington Post's Shane Harris reported. The Justice Department released the application to surveil Page as well as three renewal applications, representing more than 400 pages of documents that are heavily redacted, according to Harris. “In the four decades that FISA has been in effect, it’s not clear that any application for surveillance has ever been released,” my colleague wrote. “Materials related to FISA operations and legal processes are among the most highly classified and closely guarded in the government. The New York Times, USA Today and the James Madison Project all sued for release of the materials.”
Page responded to the release of the FISA documents in an interview on CNN's “State of the Union” and denied being an agent for Russia. “On Sunday, Page said that it was 'ridiculous' and a 'complete joke' to believe he had been an agent of the Russian government,” The Post's Elise Viebeck and David A. Fahrenthold wrote. “'I’ve never been an agent of a foreign power by any stretch of the imagination,' Page said on CNN. That echoed President Trump’s own statements on the documents — issued via Twitter from Trump’s golf club in New Jersey — that the wiretap on Page was part of politically motivated spying on Trump’s presidential campaign.”
Congratulations to @JudicialWatch and @TomFitton on being successful in getting the Carter Page FISA documents. As usual they are ridiculously heavily redacted but confirm with little doubt that the Department of “Justice” and FBI misled the courts. Witch Hunt Rigged, a Scam!— Donald J. Trump (@realDonaldTrump) July 22, 2018
Looking more & more like the Trump Campaign for President was illegally being spied upon (surveillance) for the political gain of Crooked Hillary Clinton and the DNC. Ask her how that worked out - she did better with Crazy Bernie. Republicans must get tough now. An illegal Scam!— Donald J. Trump (@realDonaldTrump) July 22, 2018
Additionally, the release of the documents undercuts claims by House Intelligence Committee Chairman Devin Nunes (R-Calif.) that the surveillance of Page was tainted by political considerations, The Post's Philip Bump wrote. Bump lists several allegations made in a Republican memo released in February about the FISA application to surveil Page and compares them to the actual application released last week. “From the evidence at hand though, it’s certainly fair to assume that it’s Nunes’s memo, not the warrant application, that suffered from a stronger political bias in its creation,” Bump wrote. “We can’t entirely blame Nunes, though. In an interview with Fox News in February, he admitted that he himself hadn’t read the warrant application.”
PATCHED: Clemson University researchers gathered 3 million tweets from 3,841 Twitter accounts involved in Russia's efforts to sow discord in American politics and found that Russian trolls were especially active the day before WikiLeaks started releasing stolen emails from Hillary Clinton's campaign chairman John Podesta, The Post's Craig Timberg and Harris reported on Friday. According to the Clemson researchers, accounts used by Russia's Internet Research Agency sent more than 18,000 tweets on Oct. 6, 2016, my colleagues wrote.
“The Clemson researchers and others familiar with their findings think there probably is a connection between this looming release and the torrent of tweets, which varied widely in content but included a heavy dose of political commentary,” Timberg and Harris wrote. “'Hillary Clinton and Donald Trump: Which one is worse: Lucifer, Satan or The Devil?' said one tweet from an account called Gwenny that directed readers to a YouTube video.” Aside from the release of the Podesta emails, Oct. 7, 2016, was also the day that The Post published Trump's vulgar comments about groping women and the federal government accused Russia of seeking to interfere in the election. “The tweets overall reveal a highly adaptive operation that interacted tens of millions of times with authentic Twitter users — many of whom retweeted the Russian accounts — and frequently shifted tactics in response to public events, such as Hillary Clinton’s stumble at a Sept. 11 memorial,” Timberg and Harris wrote.
PWNED: The United States in recent years has been less and less assertive in shaping international cyber policies, ceding ground to China and the European Union in the process, Politico's Eric Geller reported Sunday. “The weakening American position comes as the European Union, filling a gap left by years of lax U.S. regulations, imposes data privacy requirements that companies like Facebook and Google must follow,” Geller wrote. “At the same time, China is dictating companies’ security practices with mandates that experts say will undermine global cybersecurity — without any significant pushback from the United States.”
Politico offers another example of America's loss of influence: the enactment by the European Union of rules such as the General Data Protection Regulation, which creates online privacy standards that U.S. companies have to abide by. The United States lacks a comprehensive cybersecurity agenda and has generally relied on voluntary standards rather than legislation and regulation to advance Internet policies, Geller writes. “The U.S. model looks both paralyzed and somewhat feckless, while the Europeans and the Chinese are making progress and, in many cases, damaging the openness of the internet," Adam Segal from the Council on Foreign Relations tells Geller.
— More cybersecurity news:
The release of the application to surveil Page drew a mix of sharp reactions on Twitter.
From the New York Times’s Charlie Savage:
Some say the Steele dossier was the sole basis of the application. That's false. There are redacted pages of other facts we can see it cited info from a prior investigation into Russian spies who sought to recruit Americans. (They targeted Page https://t.co/VEWt3YGRfX )/13 pic.twitter.com/pg6ycTfodB— Charlie Savage (@charlie_savage) July 22, 2018
From the Los Angeles Times’s Chris Megerian:
So are they proposing that law enforcement be prevented from using motivated sources? No, they are not. (4/10)— Chris Megerian (@ChrisMegerian) July 22, 2018
From Sen. Marco Rubio (R-Fla.):
The @FBI had many reasons to look into this guy. And looking into him is not “spying” on Trump campaign, because as the White House made clear last year, he was “not an ‘advisor’ to Mr. Trump in any sense of the word.” https://t.co/rhRUB87OVa— Marco Rubio (@marcorubio) July 22, 2018
From Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee:
The release of the Carter Page FISA application makes clear, once again, the FBI acted lawfully and appropriately.— Adam Schiff (@RepAdamSchiff) July 22, 2018
This hasn’t stopped the President and Republicans from repeating the same fraudulent taking points in the discredited Nunes memo.
Sadly, some things never change: https://t.co/b4JPj86Mka
From the libertarian Cato Institute’s Julian Sanchez:
If you have issues with the Carter Page FISA application, then you have issues with FISA generally, because there’s zero indication there’s anything unusual about this application, other than the fact that its target worked on a U.S. presidential campaign.— Julian Sanchez (@normative) July 22, 2018
— Score one for Trump against Congress. “Senate Republicans have dropped their attempt to reimpose U.S. sanctions on the Chinese telecommunications giant ZTE, lawmakers said Friday, a victory for President Trump as congressional Republicans abandoned a rare effort to thwart his agenda,” The Post’s Erica Werner reported. “The retreat means ZTE, a company found guilty of selling U.S. goods to Iran in violation of sanctions, will duck Commerce Department penalties that bar U.S. companies from doing business with it.”
Senators dropped the provision and language from House lawmakers prevailed, according to Werner. “The House language bars U.S. government agencies and contractors from doing business with ZTE, but allows the company to continue doing business with private U.S. firms,” my colleague wrote. Rubio expressed disappointment on Twitter and said he was “surprised” that senators “caved so easily.”
— Public officials and transparency advocates are debating where privacy ends and public records begin as private messaging applications expand across the nation, including among government officials, the Associated Press’s Ryan J. Foley reported. “Some government officials have argued that public employees should be free to communicate on private, non-governmental cellphones and social media platforms without triggering open records requirements,” Foley wrote. “Lawmakers in Kentucky and Arizona this year unsuccessfully proposed exempting all communications on personal phones from state open records laws, alarming open government advocates. A Virginia lawmaker introduced a bill to exempt all personal social media records of state lawmakers from disclosure.”
— More cybersecurity news from the public sector:
"Facebook said Friday it suspended a longtime partner that had used data from Facebook and other social networks to assist governments — including Russia, Turkey, and the United States — in monitoring public sentiment, a more cautious approach in the aftermath of a data privacy scandal," my colleagues Elizabeth Dwoskin and Craig Timberg report. The action appears preemptive. "Facebook said that Boston-based Crimson Hexagon did not do anything inappropriate but that it is curtailing the company’s access to its data while conducting an investigation," according to Dwoskin and Timberg.
- House Oversight Committee hearing on securing the U.S. election system tomorrow.
- House Homeland Security Committee markup of H.R. 6443, titled Advancing Cybersecurity Diagnostics and Mitigation Act, tomorrow.
- House Homeland Security subcommittee hearing on “federal cybersecurity risk determination” on July 25.
- Two House Oversight subcommittees hold a hearing titled “GAO high risk focus: cybersecurity” on July 25.
- The Brookings Institution hosts a panel discussion on online privacy on July 26.
Iranian President Hassan Rouhani warns the United States of the “mother of all wars”:
Tightrope walker conquers 115-foot high stunt in Paris:
Can you teach happiness? New Delhi says yes: