Former NSA Director: Breaches Will Get Worse

Over the next two years, cyberattacks will get worse before they get better. But there’s some good news. There are methods to counter cyber threats — by working with stakeholders across the political aisle, including private to public sector initiatives, to create enforceable barriers to bring about change.

That was the sentiment shared by retired four-star General Keith Alexander, the former director of the National Security Agency, at Innovation Project 2015 last week. Alexander was the featured speaker on a panel that discussed everything from security and authentication to identity (and how to protect those three factors). The panel of progressive leaders that came from the field of authentication dove into the “holy grail” of security and how it can be achieved sooner rather than later.

While the panel was focused on how to improve the security and integrity of the payments ecosystem, the conversations dabbled into mobile, Internet security, and new technologies as they relate to the innovations that enable secure payment and data networks. 2014 was coined by many as “the year of breaches” (Target, Home Depot, JPMorgan Chase, etc), but now with the year behind, but the impacts of the breaches lingering, the experts on this panel confirmed that now, more than ever, investments need to be made in cybersecurity. This includes sharing breach information in a faster mode between public and private sectors in order to get at the root of this problem.

But as always, there’s those few questions that put a damper on cybersecurity progress: just whose responsibility is it to share information about the breaches? Who’s in charge of paying for preventative measures, and who’s going to clean up the data breach messes if, and when, they do occur? And then there’s the debate about how to deal with private, sensitive data to determine what the breaking point is where the NSA crosses the line of intruding on consumers or businesses’ lives.

“If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill—it’s a surveillance bill by another name,” U.S. Sen. Ron Wyden (D—Oregon) wrote in a response to the committee. He cast the only dissenting vote against the measure. “It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.”

But something must be done, Alexander said.

“We aren’t where we need to be today,” Alexander said. “Nobody is meeting the standard. If even the best companies are making mistakes, we are not in the right place…If nobody can pass the standard, we have to come up with a way to make cybersecurity more successful. If everybody is doing everything and getting nothing then we are in the wrong place.”

Recently, the Senate Select Committee on Intelligence (SSCI) voted the Cybersecurity Information Sharing Act of 2015 (CISA) through committee on a vote of 14 to 1. The bill was co-sponsored by Sen. Richard Burr (R—North Carolina) as SSCI Chairman and Sen. Dianne Feinstein (D—California) as Vice Chairman. According to a press release about the bill, the legislation is aimed at creating “additional incentives to increase sharing of cybersecurity threat information while protecting individual privacy and civil liberties interests and offering liability protection to the private sector.”

The key purpose of the bill, as demonstrated by the committee, is to:

  • Direct increased sharing of classified and unclassified information about cyber threats with the private sector, including declassification of intelligence where it is deemed appropriate.
  • Authorize private entities to monitor their networks or those of their consenting customers for cybersecurity purposes. Companies are authorized to share cyber threat indicators or defensive measures with each other or the government.
  • Require the establishment of a capability (sometimes referred to as a “portal”) at the Department of Homeland Security (DHS) as the primary government capability to quickly accept cyber threat indicators and defensive measures through electronic means.
  • Provide liability protection for companies’ appropriate use of additional cybersecurity authorities. The monitoring of networks for cybersecurity threats is protected from liability, along with sharing information about cyber threats between companies consistent with the bill’s requirements.
  • Require reports on implementation and privacy impacts by agency heads, Inspectors General, and the Privacy Civil Liberties Oversight Board to ensure that cyber threat information is properly received, handled, and shared by the government.

The most recent draft of the bill, which is expected to reach the Senate floor as early as April, contains 15 amendments to the previous version, and most of those are related to privacy.

“The bill approved today by the Intelligence Committee on a strong bipartisan vote is a critical step to confront one of the most dire national and economic threats we face: cyberattacks,” Feinstein said. “In just the last year, hundreds of millions of Americans have had their data compromised, a number of major American companies have been attacked, intellectual property has been stolen, and there have even been attempts to hack our critical infrastructure. This bill would help defend against cyberattacks by allowing purely voluntary information sharing—limited to specific information about cyber threats—to better help the private sector and government understand and respond to these threats. The robust privacy requirements and liability protection make this a balanced bill, and I hope the Senate acts on it quickly.”

Burr called the legislation “overdue,” saying that it will “enable our agencies and institutions to share information about cyber threats while also providing strong privacy protection for our citizens.”

Privacy protections in the bill include:

  • Not requiring any private sector entity to share cyber threat information. Sharing is strictly voluntary.
  • Narrowly defining the term “cyber threat indicator” to limit the amount of information that may be shared under the Act.
  • Limiting the use of cyber threat indicators to specific purposes, including the prevention of cybersecurity threats and serious crimes.
  • Requiring the removal of personal information prior to the sharing of cyber threat indicators.

Regardless of the additional language, critics of CISA have raised two central concerns: that the bill won’t actually strengthen security and that the “information sharing” described within bears an uncomfortable similarity to surveillance.

Still, Alexander said the legislation, in some capacity, is needed. He predicts — especially without a more specific plan in place that gives oversight authority to prevent breaches — that cyberattacks and cyberterrorism will continue to grow. Cybersecurity must get simpler so more payments and commerce companies can get keep track of necessary data in order to be proactive, instead of reactive.

How can the U.S. achieve this? By having the government work with those in the private sector to reach a common ground, and vice versa, Alexander said. And it means working with its allies in order to approach cybersecurity from a global perspective. The NSA has the power to stop cyberattacks, he said, but they can’t see where the holes in data security exist if they aren’t given access.

That’s where the scrutiny exists: Where should businesses and consumers give up a little of their own security to ensure the government can align its goals with the private sector efforts to achieve a more comprehensive cyberattack plan? Where does letting the NSA breach the line of invading on the lives of private citizens? That’s going to be up to the stakeholders to decide, though they can’t do it alone.

“The NSA can stop cyberattacks. But they can’t see what’s hitting you [without access],” Alexander asserted. “That’s where cyber legislation is coming in. We should fix this and we could.”

The question is, he said: how do we respond? As hacks get deeper and more complex, companies need a more secure wall of defense. And it can’t be done alone. It’s going to take the government, bipartisan legislation, the banks, retail, commerce and payments leaders. And it’s going to take a cross-border approach.

“Cybersecurity legislation is a must and partnering with our allies is a must and I think we can do both. Everyone at one time will be breached.”