The FISMA Focus IPD

Efforts to reduce barriers to information sharing in the cyberworld have met with criticism, but some in industry are emphasizing the necessity of swift action.

The effects of Hurricane Sandy on the Northeast gave the United States a powerful insight into what happens when critical infrastructure fails in dense population centers. Even with days of warning, thousands of people still find themselves without basic services. Before that superstorm formed, however, security experts were considering the effects of a man-made catastrophe implemented through breaches in cybersecurity that could strike at any time without prior notice, causing even more widespread damage. Leading up to the election, an executive order is pending to try to prevent such an event, but regardless of whom voters elect as their next leader, some in industry are calling for swift action to put preventative measures in place.

Drafted in response to Congress’ decision not to pass a cybersecurity act earlier this year, the executive order, if signed, is expected to authorize the Department of Homeland Security to create different information security programs and to facilitate better information sharing among government and private-sector partners involved in cyber activities. Legislators and groups outside government have criticized several aspects of the various efforts to reduce current restrictions that prevent organizations from passing on their knowledge of vulnerabilities or attacks to others who need it, expressing particular concern about violations of citizens’ privacy.

But Dave Frymier, chief information security officer at Unisys, says some type of protective measure is needed immediately. He believes recent attacks on banking institutions should have served as precipitating events demonstrating the importance of broadening information-sharing rules. Earlier this year, several major financial institutions in the United States suffered denial of service attacks that they were unable to stop despite having forewarning that such events would occur. Experts believe the attacks originated in Iran.

Frymier explains that the perpetrators used botnets to implement their plans. Owners of machines infected with that type of threat generally are unaware of their vulnerabilities, making it easy for criminals to use their systems to launch attacks. Groups such as antivirus companies who could tell where problems originate and who is affected are prohibited by data security and privacy regulations from taking steps to address the issues. “We’ve got to do something about these botnets,” Frymier says. He would like to see a solution that resembles due process in the physical world, in which authorities who suspect something is wrong can take action to prevent a larger crime. “Exactly what that would look like needs to be hammered out in [legislation],” Frymier states. “The cyberworld has some eerie analogies to the real world.”

Eliminating barriers among fragmented government and industry cybersecurity partners could help the safety of everyone. “Absolutely it is a good thing for government and the private sector to work together to secure the country,” Frymier explains. “If we don’t, the Internet is going to fall apart. These attacks on the banks are the canary in the cave.” He adds that it is legitimate for people to have concern over “Big Brother,” but he believes leaders can put in place reasonable measures to protect both privacy and the cyberdomain.

Mark Seward, senior director of security and compliance at Splunk, and Bill Cull, vice president of the public sector at the same company, agree with Frymier. Seward explains that in many cases, the private sector already is sharing information with the government, and that action from those in elected authority could make this easier, eliminating some layers of bureaucracy. He adds that partnerships in cybersecurity are important for the maintenance of the lifestyle enjoyed by U.S. citizens. Organizations that supply power and water, for example, are experts in providing those services but not in preventing cyber attacks. Companies or government agencies with cyberknowledge can play a crucial role in keeping those basic necessities up and running. Seward believes that stalling on taking action could result in the United States becoming like a third-world nation overnight as the result of a major attack.