DHS Should Focus on Improving Cyber Info Sharing Authorities, Experts Say
President Donald Trump's administration should focus on improving the Department of Homeland Security's existing cybersecurity information sharing programs rather than making an attempt to increase the role of the Department of Defense in the information sharing space, cybersecurity experts told the House Homeland Security Subcommittee Thursday. Witnesses and House Homeland Security members acknowledged DHS must continue to improve its Automated Indicator Sharing (AIS) and Cyber Information Sharing and Collaboration Program (CISCP) programs. The 2015 Cybersecurity Act made DHS the main civilian portal for cyber information sharing (see 1512180052).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
DHS “has made great headway” on cybersecurity in recent years and particularly since implementing the 2015 Cybersecurity Act, said House Homeland Security Cybersecurity Chairman John Ratcliffe, R-Texas. But “very clearly more work needs to be done. It is not enough to simply have programs in place.” The government “must be constantly measuring, bench-marking and setting goals associated with their outcomes,” Ratcliffe said. “Additionally, DHS needs to become fully operational so it can most effectively carry out the cybersecurity authorities Congress deliberately gave the department just over a year ago.”
DHS “has made major strides” on information sharing but the focus should now be on improving the department's implementation of that role, said House Homeland Security Cybersecurity ranking member Cedric Richmond, D-La. It would be a mistake to bring DOD and the Joint Chiefs of Staff into a civilian cybersecurity role now, as Trump has proposed, since that would “represent a radical departure” from DHS' role as the lead civilian cyber agency, Richmond said. Trump pledged in November to direct the DOD and the chairman of the Joint Chiefs of Staff to “develop a comprehensive plan to protect America’s vital infrastructure from cyberattacks, and all other form of attacks” (see 1611220065).
Symantec Senior Director-Global Government Affairs and Policy Jeffrey Greene urged the Trump administration to make a “clear statement” that a civilian agency would lead the civilian side of federal cybersecurity policy. Sending that message is especially important for assuring companies that have cultivated a relationship with DHS on cyber information sharing that those relationships will continue, Greene said. Now that DHS has “made significant progress” in its handling of cyber information, it must focus on improving its analysis of that information, he said. DHS reports already include analysis but sometimes “fall short,” Greene said. “The need for context and vigorous vetting is just going to grow” over time.
Intel Security Group Chief Technical Strategist Scott Montgomery said DHS needs to increase the types of cyber information it shares with the private sector to ensure the flow of information becomes more equal. He called on Congress to offer tax credits as an incentive for private sector firms to join sector-specific information sharing and analysis centers. Montgomery also highlighted the need for an “intense focus” on improving cybersecurity education given the ongoing shortage of trained candidates for cybersecurity-centric jobs. “We're having trouble hiring people too,” he said.
Palo Alto Networks Vice President-Cybersecurity Strategy and Global Policy Ryan Gillis said he believes there's an opportunity now to “expand the nascent capabilities” that DHS rolled out via AIS and CISCP. DHS should now focus on more effectively implementing the 2015 Cybersecurity Act now that there are no longer “massive statutory barriers” to implementing the law, he said. AIS in particular has the right foundation in place but needs to provide more context in its analyses, Gillis said.
New America's Open Technology Institute Policy Counsel Robyn Greene urged the Trump administration and House Homeland Security to “continue to support” DHS' role in cybersecurity policy and to not take steps that would “water down” privacy and civil liberties protections included in the 2015 Cybersecurity Act. But she also highlighted ongoing flaws in the 2015 Cybersecurity Act that even DHS guidance was not able to patch. Those problems include “overbroad” authorizations for law enforcement agencies and a loophole allowing for the creation of a non-DHS information sharing portal, Greene said. A second portal would cause confusion about DHS' cybersecurity role and could decentralize the role that DHS' National Cybersecurity and Communications Integration Center plays in information sharing, she said.