Unless Congress acts on a major cybersecurity bill this session, the U.S. will face “a major catastrophic event” that takes down an American company or institution in the next 18 months, according to Rep. Michael Rogers, R-Mich., chairman of the U.S. House of Representatives Select Committee on Intelligence.
“Now is the time to act,” Rogers told a high-level conference of government and industry leaders Wednesday in Washington, D.C. “We are getting crushed. We are in a cyberwar, and we are losing.”
He warned that Russia, China, Iran and North Korea “are about a half stroke away” from destroying something like an electric grid. “Cyber will prep our next battlefield,” Rogers warned. “They are developing the capability to wipe us out.”
Rogers said Iran cyberattacked U.S. financial institutions 350 times last year. “We don’t have a sense of urgency on this that we need to have,” he warned. Besides nation states, cyberattacks are increasingly coming from organized criminals, especially in Eastern Europe, the experts said.
The conference brought together members of the Merchant-Financial Services Cybersecurity Partnership, a coalition of 19 associations, including the Financial Roundtable and the Retail Industry Leaders Association.
Most speakers agreed that what is needed is information sharing by the private and public sectors on data breaches and technology strategies. “That’s the guts of this,” admitted Sen. Saxby Chambliss, R-Ga., ranking member of the Senate Select Committee on Intelligence.
So why don’t they just share what they know? Speakers cited various reasons, most dealing with their fears: Fear of competitors taking advantage, fear of liability and lawsuits, fear of loss of privacy for customers and, to a lesser extent, fear of antitrust accusations.
The conference made clear that companies want protection from liability if they are going to disclose breaches more openly and share cyberinformation with the government, other corporations and their customers. And that requirement is one of the snags facing proposed legislation.
Michael Daniel, special assistant to President Barack Obama and cybersecurity coordinator for the White House, pointed out that already there are 47 different state laws mandating some form of disclosure. So a national law that would standardize disclosure should be welcomed.
“The other point is we’re very clear when we talk to companies about sharing information with the government, that we don’t want that to be public, at least not yet,” Daniel said. “We don’t want to give the bad guys a road map.”
One panelist, Joe Demarest, assistant director of the Federal Bureau of Investigation’s Cyber Division, mentioned general counsel a couple of times when speaking about roadblocks to information sharing. And he noted there is often a lack of trust between the private sector and government.
“We collect information, but some people have to work through their general counsel and there is a bit of delay, sometimes hours or days,” Demarest said. “Companies want [information] validated more. We need to get trust.”
He suggested that corporations set up cyber task forces and develop ongoing relationships with the FBI “before we come knocking on your door at 6 p.m. on a Friday evening to tell you about a breach.”
Several speakers made reference to major data breaches, including a massive one at Home Depot Stores Inc. confirmed by the company this week. Assuming the government had shared information about the Target Corp. breach over the holidays with Home Depot, one person wondered how helpful information sharing really is.
The FBI’s Demarest replied, “It’s part of the solution, but only part.” Also vital, he said, are internal policies that hold employees accountable and training on opening emails that may contain malware. “Bad actors are brilliant today,” he added, “so internal controls and training are important.”
Another panelist, Nancy O’Malley, chief payment system integrity officer for MasterCard Inc., spoke of legislation as too slow a process. “The criminal community is moving so quickly,” she noted. “What we’re trying to do is [develop] a payment security task force looking to the future and what we can do to build a safer environment.”
One panelist mentioned Apple Inc.’s introduction Tuesday of “Apple Pay,” a way to pay using iPhones with near-field communication technology. O’Malley said, “Mobile is one of the single most important opportunities to get it right. Now we have a chip that has computing capability for security. Now a mobile secure element is at an unprecedented level in terms of the technology each consumer is carrying in [her] hand.”
Reed Luhtanen, senior director for payments strategy at Wal-Mart Stores Inc., agreed. “You can use a mobile device to create a more secure transaction than a card,” he said. “A merchant never has to see customer private data or numbers. And we need to leverage it for all we can get.”
No comments:
Post a Comment