Any cyber security bill that becomes law must authorize information sharing amongst industry and the government and give companies, or a third party, the right to monitor their networks, according to Northrop Grumman [NOC] CEO Wes Bush.
“We need to make sure we don’t limit a company’s ability to electronically monitor its information systems for cyber security purposes,” Bush told an audience during a speech April 9 at George Washington University in Washington. “Any law that ultimately makes it through the system has to authorize, I think, and facilitate the exchange of cyber threat information within, and among, industry and with the government.”
Bush said the government must also protect, not only its own extensive networks and data, but also the network security of the defense industrial base: Private companies that provide the critical infrastructure to the United States.
“Examples would include our nation’s energy suppliers, banking and finance, transportation and companies like the one I lead, which supply the means by which our nation defends itself,” Bush said.
Bush said cyber defenses could be improved if specific attack methodologies such as: Bad sites, malware or social media probes were “freely shared on an efficient, timely basis” among companies.
Bush said current cyber security methods are inadequate because of privacy issues, citing an incident where the National Security Agency detected a foreign entity trying to steal three gigabytes of information from an American defense contractor. He said current information-sharing rules would not permit the agency to warn the contractor of what was about to happen to them.
“The sharing of threat information between businesses, and of course, government and business, is absolutely necessary in the fight to defend a company’s digital information,” Bush said. “And how that information is shared is often the source of concern when the issue of privacy is considered.”
Bush said to solve these privacy issues, “we need to advocate legislation and policies that put in place a workable, effective and enduring cyber defense that includes adequate privacy safeguards and limits, particularly with respect to government participation.”
Two different cyber security bills have been introduced in the House over the last few months. One, the SECURE IT bill, is based on a companion bill introduced in the Senate, which promotes more sharing of cyber threat data between the federal government and the private sector without adding regulation. The other, the proposed Cyber Security Act, is considered to be light on government regulations, but would allow the Department of Homeland Security to set minimum standards for owners and operators of critical infrastructure to meet for securing their computer networks, although the private sector would be allowed to enforce compliance themselves (Defense Daily, March 28).