Public-Private Partnership, Information Sharing Key to NIST Cybersecurity Framework Success


(Washington, DC)  Improving private sector relations with the government, particularly in the area of threat information, will be central to the future success of the cybersecurity framework issued last week by the National Institute of Standards and Technology (NIST), according to a panel of industry representatives speaking at a Bloomberg Government cybersecurity conference here today.  That framework was developed pursuant to an executive order signed by President Obama last February and is slated to be final under the order by February 2014.

When asked to rate the still-preliminary framework on a scale of one to ten in terms of how well the public-private partnership has worked so far in developing the framework, Dean Garfield, President and CEO of the Information Technology Industry Council, rate the effort an 8.5.  "What was surprising to me is that there is broad consensus on policy issues," he said.

"It's improving, it's moving toward the higher end" of the scale, Robert Mayer, Vice President of Industry and State Affairs at telecom trade association USTelecom said.  "The grade is obviously incomplete [but] I'm encouraged by the direction we're moving in," Internet Security Alliance CEO Larry Clinton said.

Jeremy Bash, Managing Director of  policy consulting firm Beacon Global Strategies, however, rated the effort as merely a three "because there is a huge disconnect with industries.  For the vast majority of enterprises, this issue is not yet on the radar screen." Most industries "fundamentally want one thing - they want the government to share sensitively derived threat [information], Bash said.

Incentives, which are also addressed separately in the executive order, are also key determinants of how well the framework will be adopted.  One important incentive is to improve information sharing between the government and private sector, Garfield said.  "Making sure we have the capacity and communication internally within the administration and the government to share and make use of the information that has been shared," is crucial.

The problem is going to be that many incentives, including some of the liability protections needed for effective information sharing, will require statutory authority, necessitating an act of Congress, Mayer said., a very difficult feat given the current legislative environment.  One big problem with threat information sharing is that "the government doesn't want to share data because they are afraid the source of the data will come out," Clinton said.  "The thing is industry doesn't care about the source.  So take the source data out."

NSA's Alexander: Infiltration of Yahoo, Google Data Centers 'Never Happened'


(Washington, DC)  Gen. Keith Alexander, Director of the National Security Agency (NSA), denied today a Washington Post report that the intelligence agency has secretly broken into communications links that connect Yahoo and Google data centers around the world.  Speaking at a Bloomberg Government cybersecurity conference, Alexander was--within minutes of the report's publication--asked about this latest bombshell revelation stemming from the documents obtained by former NSA contractor Edward Snowden.

"Not to my knowledge. That has never happened," Alexander said when asked if it's true that NSA secretly infiltrates the two Internet giant's networks.  Alexander's further denial seemed to be premised on the erroneous notion that this latest report dealt with court orders for surveillance data from the Foreign Intelligence Surveillance Court (FISC), an entirely different and legal, although murky, form of NSA data collection that came to light earlier this year.  "Those companies are compelled to work with us," he said. "These are specific requirements that come via court order....We go through a court order, we issue that order to them through the FBI."

Both the Washington Post and The Guardian began their series on the Snowden documents by revealing a "front door" NSA program called PRISM, under which NSA petitions the FISC to obtain user data from Internet companies, including Google and Yahoo.  However, today's Washington Post report reveals a secret initiative under which NSA uses a data extraction tool called MUSCULAR, which is operated jointly with GCHQ, the British intelligence agency.

Although Yahoo and Google are aware of and comply with the FISC orders, even while sometimes fighting them, both companies express in the Post article surprise and anger over the possible infiltration of their data communications links without their permission.  Those links are not encrypted (Google is in the process of putting that measure into place) but the NSA seemingly did have to infiltrate what the Post calls "gold standard" security measures to gain access to the companies' networks.

Twitter Delicious Facebook Digg Stumbleupon Favorites More