Telecommunications companies believe that better information sharing among private sector companies is a necessary next step to ensure better critical infrastructure cybersecurity, a goal that can best be accomplished by Congressional action in the wake of President Obama's February cybersecurity executive order and policy directive. Or at least that view seemed to be the consensus held by a group of executives speaking today during a policy briefing hosted by USTelecom.
"When it comes to cybersecurity, one of the things we want to get to as an end-state is real-time information sharing. The best way to do that is with automated threat-sharing," Chris Boyer, Assistant Vice President of AT&T said. "One of the obstacles to that is whether or not that is permitted under the existing legal framework. Every time something comes up with security, we have to consult with our legal department to determine if it can be shared. We really want to expedite that process so that we can make it real-time and respond to the threats."
"We certainly don’t have any automated real-time information sharing links between AT&T and CenturyLink," Kathryn Condello, Director of Cybersecurity and Emergency Preparedness at CenturyLink, said. "The information sharing does exist but it’s more informal and ad hoc. The time, the speed, the acceleration, the nature of the cyber threat is much, much faster" than what ad hoc information sharing can handle.
"The information-sharing piece is the most immediately important thing for us," Kate Dean, Executive Director, United States Internet Service Provider Association, said. "To improve and enhance private-to-private and government-to-private will really require an action by Congress."
The NIST-derived cybersecurity framework specified in the Executive Order may not be as important to major telecommunications providers as it will be to smaller companies or other companies in other critical infrastructure sectors because telecom providers are forced by the marketplace to implement best-of-breed security measures. "There are going to be some sectors where [legislatively extended] incentives [to abide by the framework] are more important than others. I think the fact that we have to deliver our services on a nanosecond by nanosecond basis has driven the adoption of standards" in telecom, Condello said. "I think that we may find that even if they offered us the incentives, the vast majority of us have already been doing that."
This issue of how cybersecurity practices vary from big to small companies, from competitive to regulated industries, is a theme that has emerged over the past few months, one echoed during the briefing by administration point person Ari Schwartz, Senior Policy Advisor, Department of Commerce. "I've heard a lot from some of the leaders in this space 'What are you going to tell us that we’re not already doing?' If you’re a leading company you’re already doing what you need to do to protect this space.” But, "there are a number of companies that are not even putting the basic protections in place," he said.
The telecom providers also agreed that for now the Federal Communications Commission (FCC) should bow out of the process, despite the fact that the presidential policy directive accompanying the order (PPD-21) directs the FCC to partner with the Department of Homeland Security (DHS) and others in developing guidance and recommendations. "When you look at what’s happening now...there are eight streams within the sector coordinating council [at DHS], there will be a lot of activity around the framework. As a practical matter it will be a challenge for the industry to staff additional work over at the CSRIC [Communications Security, Reliability, and Interoperability Council at the FCC]," AT&T's Boyer said.
Image of Ari Schwartz captured from screenshot.