The top executive of an iconic American security firm called Monday for a major change in administration policy on cybersecurity, saying that putting intelligence agencies in charge had been a mistake and arguing for a much larger role for the Department of Commerce.
Amit Yoran, president of RSA, made the remarks at the dedication ceremony for NIST’s expanded National Cybersecurity Center of Excellence in Rockville, Md.
He said the government should be doing more to educate businesses on risk management approaches to cybersecurity instead of emphasizing the provision of classified threat intelligence from U.S. spy agencies.
“We need to shift how our federal government engages on the cyber domain,” Yoran said. “Engaging with the government within the cyber domain has been dominated by the intelligence community. I can tell you from the private sector perspective, that’s the wrong approach. its been a catastrophic mistake. We need to engage much more aggressively through the Department of Commerce, making sure that our businesses are fully informed.”
In response to Yoran’s comments, DHS Deputy Secretary Alejandro Mayorkas said he understood the RSA chief’s skepticism but felt his agency had oversight and protection mechanisms in place to allay concerns businesses might have about sharing information with the feds.
“DHS is uniquely situated in having a statutorily created office of civil rights and liberties and an office of privacy,” Mayorkas said.
DHS, he argued, could be a bridge between the necessarily secretive intelligence agencies and the companies that own and operate America’s vital industries. “That uniqueness distinguishes and empowers DHS to be involved in the sharing of information with the private sector,’ he said.
The groundwork laid by laws like the Cybersecurity Information Sharing Act and standards in NIST’s cybersecurity framework have served to put the nation on a solid cybersecurity footing, but it will take much more effort if public and private sector are to deter the rise of data breaches and cyber attacks.
“The level of awareness has risen, but its not where it needs to be. If you really step back and assess the threats, this goes to everything — almost every piece of equipment, every car, every refrigerator, clocks, every tool we use, let alone our computers and networks and electric grid,” said Secretary of Commerce Penny Pritzker.
“The challenge is to make sure that we step up our game,’ she added, ‘We’ve got to collaborate.”
She said the information sharing mechanisms set up by CISA need to be utilized so both the public and private sector are protecting themselves from attacks in real time.
“We’ve got to build that bridge between the business community and the government,” she said. “All of us are experiencing cyber threats. What we need to do is take what each of us is learning about the threats and make sure its shared instantaneously between our private and public sector.”
On top of better collaboration, a number of experts expressed an importance on getting people into the cybersecurity workforce. Pritzker said a highly-trained workforce only serves to improve the cyberscurity awareness across an entire organization.
“This is man-to-man combat right now,” Pritzker said. “We need to start in the C-suite and the boardroom. To be honest most board members are not very educated on this subject. We need to do more to get the leadership sensitized, but making sure its then flowing through the entire organization.”
Symantec CEO Michael Brown said his company has a “cyber career connection” program that focuses on training underserved populations like women, people of color and veterans in order to get them to a level where they can get cybersecurity jobs.
“We would love to see government and businesses more enthused to hire these people,” Brown said. “It’s a real need.”
Yoran said instead of having government agencies train thousands of “cyber warriors,” —a term he “sometimes cringes” at — he believes the workforce gap could be closed if tech companies make their tools easier to use.
“We need to take the capability that we have and the smartest among us, and enable them to scale asymmetrically through the use of technology and innovation,” he said. “If you can provide greater scalability and efficiency to the experts you have, you’ll achieve a lot more than trying to use 60,000 experts, which are just not available.”
Despite the disagreements on display, everyone agreed that information sharing is key is raising the stakes for those who wish to do harm through sophisticated cyber attacks.
“If we want to enjoy the benefit of all these technologies, we have to protect ourselves,” Brown said. “Sharing information is how you create that layer of defense.”
“We’ve made a lot of progress in the last two-and-a-half years,” Prtizker said. “A hacker develops a process to get into a system and that can be replicated unless I share with others that ‘this is what happened.’ Unless we have the mechanism and protections and legal structure to allow for that, crime pays.”