The financial services sector for years has been involved in sharing information about cyber threats with the federal government and among companies in the industry and it supports a new directive from the president aimed as improving this sharing, a representative from the financial sector said on Wednesday.
“The administration’s executive action is a positive step toward increasing the volume and quality of actionable and timely cyber security information,” Greg Garcia, the executive director of the Financial Services Sector Coordinating Council, stated in his prepared remarks to a House panel examining President Obama’s latest executive order on cyber security issued in February.
Garcia also lauded a provision in the order that enhances the Department of Homeland Security’s role accelerating the security clearance process for owners and operators of critical infrastructure given industry’s increasing need for access and contributions to classified information to improve cyber defenses. Garcia and others appeared before the House Homeland Security Cybersecurity Subcommittee.
Garcia also supports the directive’s creation of new Information Sharing and Analysis Organizations (ISAO), which will be led by the private sector for sectors and stakeholders to share cyber security information and coordinate responses. However, the ISAOs should not supplant the existing industry and service sector Information Sharing and Analysis Centers, called ISACs, that “must retain their status as the government’s primary critical infrastructure partners given their mandate for broad sectoral representation,” he stated.
Garcia also plugged the need for Congress to pass legislation that would promote the sharing of information about cyber security threats within the private sector and between the government and private sector. This legislation also needs to reduce industry’s liability concerns around the sharing of cyber security information, he said.
Martin Libicki, an analyst with the Rand Corp., stated in his prepared remarks that improved cyber threat information sharing as directed in Obama’s executive order “can help improve cyber security.” However, he said that information sharing being discussed as part of congressional legislation and in the president’s order isn’t a “panacea,” noting that hackers in many cases change their threat signatures so that even with more information sharing certain attacks would not have been prevented.
“In sum, there is nothing wrong with information sharing,” Libicki stated. “It should be encouraged. The president’s proposal may well do so, in which case it deserves our support. But there is something wrong with assuming that it solves most, much less all, of the cyber security problem. It only addresses one facet of a very complex space. It is, therefore, highly questionable whether efforts to achieve information sharing deserve the political energy they are taking up.”