Closer cybersecurity ties needed between government, private sector, Trump administration, DOJ official says

12 January 2017. By Mike Swift.

With cybersecurity suddenly commanding the national spotlight as President-elect Donald Trump prepares to take office, the incoming administration said New York Mayor Rudolph Giuliani will coordinate a cybersecurity outreach effort to the private sector and a US Department of Justice official said Thursday it’s critical that private companies share cyber-threat data with the government.

The fact that Yahoo was forced to rely on a law enforcement source to discover that one billion of its accounts had been hacked in 2013 is already fodder for plaintiffs’ attorneys in the sprawling class-action litigation against the company. But it is hardly unusual that companies that have been hacked fail to discover that intrusion themselves, Adam Hickey, a deputy assistant attorney general with the DOJ’s national security division said at an event in Washington* that was held to underscore the need for corporate leaders to work with the US government agencies engaged in cyber-defense work.

About 50 percent of cyberattacks are brought to the victim’s attention by law enforcement or other third parties, rather than the target discovering the breach, Hickey said. Yahoo has said that one of two massive hacks it suffered in 2013 and 2014 was due to a state-sponsored actor, though it has not disclosed which state sponsored that hack.

Cybersecurity is not just about prevention but about how companies share information about attacks they have suffered. “It’s not just about defense,” Hickey said. “If someone is determined enough, they will likely breach your network if it is connected to the Internet.”

Hickey and a US Department of Homeland Security official spoke Thursday as the incoming administration announced that Giuliani will help the government bolster its cyber-defenses. As part of that effort, Trump plans to host a series of meetings with senior corporate executives from companies sharing cybersecurity challenges similar to those facing the government.

“The best way to summarize this is, over the course of the last 20 years, our ability to use modern technology has evolved in ways we couldn’t possibly imagine — really fast, very quick. We can do things we never could do before,” Giuliani told reporters. “Our ability to defend that has lagged behind. It’s as if our offense has gotten way ahead of our defense.”

Given revelations of pre-election hacking by Russia of the Democratic National Committee and sensational but unconfirmed allegations that the Russians had collected compromising personal material on the president-elect, cybersecurity has erupted this week as perhaps the leading national issue at the dawn of a new administration.

Giuliani said the administration’s efforts to forge new cybersecurity ties would tap expertise from the private sector to help the government and the nation defend itself better against cyberattacks, including those from state-sponsored actors to individual criminals trying to steal people’s identities.

“Many of the solutions to it, and many of the problems, are in the private sector. So you can’t confine yourself to government,” Giuliani said. “So the purpose of this group will be to bring to [Trump] top corporate executives and the top thought leaders in the private sector who are, number one, experiencing the problems, and number two, are also working on the solutions to the problem.”

Hickey said that with cybersecurity issues, companies cannot just rely on digital defenses alone. Just as important, he said, is how companies respond and open up to law enforcement when they are breached, which is important to preventing future attacks.

That is one reason why it is crucial for companies to develop a line of communication with the DOJ and the DHS before there is a breach. Those relationships are “the largest ingredient in our success. It is not regulation or legislation or policy,” Hickey said.

Larry Clinton, CEO of the Internet Security Alliance, said that the biggest need is not more regulation, but the streamlining of existing regulations.

“The traditional regulatory model does not really work … for this 21st Century problem,” Clinton said.

*Release of updated corporate cybersecurity handbook by the  Internet Security Alliance & the National Association of Corporate Directors. National Press Club, Washington, DC, Jan. 12, 2017.