The co-chair of a commission that will make cyber security recommendations to the next president said there needs to be a debate whether private companies should be allowed to actively defend their information networks against cyber attacks.
“We must also consider proposals to permit the private sector to engage in active defense of their own networks,” Sen. Sheldon Whitehouse (D-R.I.), said on Monday at a cyber crime event hosted by the Center for Strategic and International Studies, which is sponsoring the commission on cyber security proposals to the next president.
Active cyber defense refers to acting in anticipation of an attack against computer networks, which includes pre-emptive attacks but also retaliation. However, it’s unclear what current laws might allow regarding active cyber defense and frequently there is the key difficulty remains in pinpointing attackers through attribution.
“Private defense would need to be closely coordinated with law enforcement and military actors,” Whitehouse said. “But in the spirit of ‘letters of marque’ to the old privateers, it is time for us to consider whether, how, and with who’s permission we should allow private entities some licensed scope to defend themselves.”
Whitehouse said that given the vast majority of the nation’s critical infrastructure is owned or operated by the private sector, it has a duty to protect that infrastructure.
There should also be ways to better allow citizens to get in the cyber fight, Whitehouse said. One solution could be an “old fashioned militia model that allows ordinary citizens come to the defense of their county” such as using National Guard troops, he said. Or, it could be something separate, “because in this theater of operations it really doesn’t matter how someone’s hair is cut, or whether they can’t or just won’t do pushups for you, or if they like to sleep in until Noon. A cyber militia is worth exploring.”
Whitehouse touched on a number of proposals that might be forthcoming from the commission, including a federal-wide inspector general to deal solely with cyber security issues. This office could be within the White House Office of Management and Budget, giving it the clout needed to raise accountability for cyber security throughout government, he said.
He also said that the public still doesn’t understand the severity of the cyber threat and that part of that problem is due to over classification of attacks. To strengthen the need of a “story teller” for cyber security, the White House should have an office charged with reporting “the intrusions and threats we face” and also have responsibility for declassifying information without hurting ongoing investigations, Whitehouse said.
Whitehouse also said the private sector is reluctant to disclose cyber attacks against companies.
The government also needs to be more clear with other countries what the consequences are for sponsoring cyber attacks against U.S. businesses and governments, Whitehouse said. He lauded the Justice Department’s public indictments of foreign agents for cyber attacks as a step in the right direction.
The U.S. doesn’t need its cyber enemies “to sign off” on its cyber deterrence policy, he said.
The Commission on Cybersecurity for the 44th Presidency is also co-chaired by Rep. Michael McCaul (R-Texas), chairman of the House Homeland Security Committee.
Whitehouse also said that prosecutors need more “tools” for dealing with the “new world of cyber crime they face.”
To ensure that the private sector is doing its part in “meeting their cyber defense responsibilities,” Whitehouse said that the Cybersecurity Framework developed two years ago by the federal government in cooperation with the private sector should undergo “stress testing…to ensure it is actually producing adequate security for critical infrastructure in key industries rather than just happy participants because they’re asked to do so little.”