The Complex

Napolitano: U.S. and allies must improve info sharing on cyber threats

As cybersecurity grows in importance, the United States and its allies need to improve information-sharing and collaboration on cyber threats, Homeland Security Secretary Janet Napolitano said today.

While the United States does share information about cyber threats with some allies via existing mechanisms such as the Five Eyes agreement, it does so on an ad hoc basis. There is no specific structure for sharing cyber intelligence despite the fact that cyber threats and attacks crisscross international boundaries, said Napolitano after a speech on cybersecurity at the Center for Strategic and International Studies.

"Cybersecurity, first of all, it is inherently international, it respects no national boundaries," Napolitano said. "Second, there are no international protocols or frameworks on which to hang things. Thirdly, there is a wide disparity in technological capacity among different countries, so it's really an area that requires a lot of work, but the plain fact of the matter is we have to work internationally."

As Killer Apps has reported previously, Pentagon officials have argued that rapid information-sharing between allies is badly needed to defeat cyber attacks since the cyber domain transcends national borders. Hackers in one country going after networks in another can often disguise their attacks to appear as if they are emanating from servers in a third nation. As Napolitano pointed out today, not all countries have the ability to detect cyber threats and attacks quickly. This means that a country whose servers are hijacked may not even know that it is hosting an attack.

"This is one area where there will needs to be a lot of work over the next, I will say months and years, it is not well developed yet," said Napolitano.

In addition to improving information-sharing with its allies, the United States is working to establish international "norms of behavior" in the cyber arena that are based on the law of armed conflict. These norms would define acts of cyber war, espionage, and crime and would establish what constitutes an appropriate response to such acts. However, these efforts are being held up by nations such as Russia and China, Pentagon officials say.

Here's what Eric Rosenbach, deputy assistant secretary of defense for cyber policy, told Killer Apps about the matter last month:

"We look at cyber just like you would look at any other form of warfare or military operations," Rosenbach said. "So the law of armed conflict applies, and within that you can already interpret what would be acceptable in cyberspace. We don't have a lot of case history to back up the customary aspect of it in international law, but we think that the framework is already there."

Russia and China are focused more on controlling citizens' activities on the Internet rather than limiting attacks on nations' critical infrastructure, he said.

"There are other countries, the Chinese and Russians in particular, that don't think the law of armed conflict is the best framework to view these things through and they focus much more heavily on control of information than they do on the security of crucial infrastructure or preventing the destruction of networks."

Rosenbach went on to call this a "nonstarter."

"To say that your model of an international law for cybersecurity is based on controlling media content or what people can say about the government isn't something we're interested in at all," he said. "There are other areas -- in particular, the theft of intellectual property -- because that's a major problem for the United States right now, where there are very different ideas about what's acceptable and what's not."

Wikimedia Commons

The Complex

Napolitano: Cybersecurity legislation preferred over exec order

Here's your midweek update on the push from the White House and Congress to establish minimal cybersecurity standards for banks, energy firms, transportation companies and communications businesses -- frequently called critical infrastructure providers by the government.

While Senate Majority Leader Harry Reid (D-Nev.) has said he plans to call for a vote on the Cyber Security Act of 2012 next month, the White House is still circulating a draft of its executive order -- or "EO" -- on cybersecurity to businesses that it would affect in an effort to get their feedback.

"In light of the failure of the Congress to be able to pass legislation this past year, in part, because we recognize given the severity and urgency of the situation we can't simply wait if Congress cannot act," Homeland Security Secretary Janet Napolitano said after an Oct. 25 speech about cybersecurity at the Center for Strategic and International Studies. "One of the things that's happening now is outreach into the private sector and other stakeholders to look at it and get some feedback before any EO would be issued if there is, ultimately, that decision."

Still, senior administration officials maintain that they would like to lose this race to lawmakers. During questions after her speech today Napolitano echoed the White House and Defense Department's argument that legislation is key to protecting the nation's critical infrastructure from cyber attack.

"If you ask me what concerns me the most, is that in an interconnected world, where infrastructure is concerned you could have entities that are doing a really good job, but it only takes one or two to create a gap in the system and then the gap can have a domino effect," said Napolitano. "That's why having legislation, I think in the end, is going to be absolutely necessary to make sure we have [a set of uniform] best practices that are incorporated in the core infrastructure of the country."

Napolitano added that while legislation is a better way to deal with securing critical infrastructure than an executive order, the lame-duck Congress will have plenty on its plate when it returns in mid-November, including trying to reach a deficit reduction deal to avoid the massive government spending cuts that are scheduled to take effect in January.

The White House is keeping a tight lid on the details of its executive order, saying only that it will take a "collaborative" approach with businesses and lawmakers in developing cybersecurity "best practices" for critical infrastructure providers. Any such order will have strong privacy and civil liberties protections in place, according to the White House. In addition to establishing best practices, the order may provide a means for rapid information sharing about cyber threats between businesses and the government.

Wikimedia Commons