Key stakeholders in government and private industry experts gathered today in Washington D.C. to talk with Bloomberg News investigative reporter, Michael Riley about The Future of Cybersecurity: Risk and Resilience Across Critical Infrastructure.
The discussion was also streamed live and included a panel of four cybersecurity experts who weighed in on the government's role in protecting private industry from cyber-attacks. Alarmingly, most of the discussion confirmed a high level of distrust for the government. Members of the private sector don't feel the government would protect them if they were attacked.
Scott Goodhart, VP and CISO, AES Corporation said that much can be done to improve information sharing, particularly since most of the intelligence that is collected is information that people wouldn't understand. "I need indicators of compromise in order to take action," Goodhart said.
"In our sector, we are strong with sharing information with each other. There's a level of trust there," Goodhart said. However, in a regulated industry, sharing is less frequent because people don't want regulators on their backs.
The problem, said renowned cybersecurity expert, Niloofar Razi Howe, is that there is an authority and capability mismatch. "The Department of Homeland Security (DHS) has the authority, but the Department of Defense (DOD) and the National Security Agency (NSA) have the capability. That creates issues with communicating in real time."
Lack of a coordinator, clarity, policy and strategy contribute to this fissure between the public and private sectors, especially when it comes to things that only a government can do.
"Deterrence policy is unique to the government," said Razi Howe. Short of policies that deter any type of cyber malfeasance, organizations can't protect themselves. Not only is the US without deterrence policies, but panel members agreed there is no real comprehensive conversation about what the current administration is doing in its cybersecurity strategy.
Daniel Ennis, head of threat intelligence, BlueVoyant, though, does have trust that the government is doing something. "There is a great deal of planning and activity that occurs that is not transparent to people in the public. I don't want folks to think that the government is not trying to deter," Ennis said.
Still, there is confusion about who is in charge, and the elimination of the cybersecurity coordinator position did little to clarify that confusion. Ennis did say that the "divisiveness downtown is not helping. Now we have to come together and collaborate. We need to enjoin to form a centralized management and engage the public in a way that they understand the threat."