The data breach at credit reporting company Equifax Inc. is the latest example of vulnerabilities at private-sector companies that hackers have exploited — a growing trend that cybersecurity experts say emphasizes the need for enhanced information sharing between the Department of Homeland Security and industry officials.
In response to news of the Equifax hack, which could affect up to 143 million people in the United States, Sen. Mark Warner raised the prospect of passing legislation to more effectively alert consumers to cyberattacks that affect them.
The hack “raises serious questions about whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies,” the Virginia Democrat said in a statement Thursday.
Trump administration officials and federal agencies have already expressed the need to improve the cyber defenses of private-sector industry through improved information sharing.
A report sent to President Donald Trump on Sept. 1 by the National Infrastructure Advisory Council, a presidential advisory group, warned of a “watershed, 9/11-level cyber attack” if the federal government did not take immediate action to address urgent cyber threats to the nation’s critical infrastructure.
Among the report’s recommendations were calls for improved information sharing through enhanced public-private partnerships. Recommendations included streamlining the security clearance process for officials in charge of critical infrastructure assets.
Critics of DHS’s current public-private sharing process say much more still needs to be done to increase the quality and quantity of information being conveyed to private-sector officials — including acting upon many of the same recommendations that infrastructure advisory council offered in its report.
The Cybersecurity Information Sharing Act of 2015 designated DHS as the primary source for cyber threat information to pass from the federal government to the public sector. Michael Bahar, head of Eversheds Sutherland’s U.S. Global Cybersecurity and Privacy Practice, said that means DHS also needs to receive approval from other originating agencies before passing along information.
Bahar, who was also a former staff director and general counsel for the House Intelligence Committee, said in a phone interview last week that information on cyber threats pass from DHS to the private sector through a “civilian portal” in which industry can voluntarily participate.
But even though DHS runs the portal, the agency that originated the information is in charge of the classification or declassification of that information, he said.
Jamil Jaffer, founder of the National Security Institute at George Mason University’s Antonin Scalia Law School and a visiting fellow at the Hoover Institution, said the need for such declassification results in delays in DHS’s information-sharing process, making the details of threats quickly obsolete because of the fast-shifting nature of attacks.
The information has to be “cleansed and minimized,” Jaffer said. “But if you think about it, that’s not truly effective because you’re plugging too much time up.”
Jaffer also noted that the current flow of cyber threat information is directed more toward DHS instead of the private sector.
“If you actually look at all the information that’s flowing back and forth — first to the government — it’s fairly limited,” Jaffer said in a phone interview last week. “And then coming back out of the government, it’s even more limited.”
DHS spokesman Scott McConnell said the agency “is continuously looking for ways to improve our cyber information sharing processes,” including through declassifying information whenever possible and using advanced technologies to share information about threats with government and industry in near real time.
He pointed to a number of public-private information sharing initiatives DHS currently operates, including the Private Sector Clearance Program, which conveys classified information with select critical infrastructure operators.
Bahar recommended that DHS further streamline the security clearance process for industry officials to receive briefings on cyber threats.
“If you clear that backlog and improve the portability of clearances between agencies, you can increase the ability to get private-sector individuals cleared at companies to get this information,” Bahar said.