“We’ve seen an increase in the number of destructive attacks since last year,” Raiu said. “We’ve seen more and more…some of these attacks can have devastating effects. The [cyberattack records] could be extremely valuable.”President Obama’s February cybersecurity executive order, which attempts to set in motion some of what Lieberman-Collins would have done, was “a good first step” in encouraging companies to share information about cyberattacks, but there is still little clarity on what should be discussed or how, Zelvin said. And most everyone acknowledges that laws will be needed to remove some barriers to information sharing.
“Can you share Internet protocol addresses?” Zelvin asked. “Can you share URLs? Can you share date and time stamps without the fear of breaking laws and regulations or other potential concerns around corporate regulations?”
Apart from the legal issues is the simple lack of education and awareness among business executives. “You can look across a number of industries and see how unaware they still are,” Zelvin said. “The general safeguards that could be taken are not.” Executives “are more focused on their day-to-day potential loss of intellectual property and the potential for criminal activity—all things that are very important—but without a deeper understanding into what is in their critical infrastructure and what could be attacked.”
In a later discussion, former White House cybersecurity coordinator Howard Schmidt urged business leaders to take the initiative and educate themselves about cybersecurity issues. They have to go beyond just asking the question of IT staff. “Asking the questions is only part of it,” he said. “You have to really understand the answer and be able to make business decisions based on the answer you get and know where things need to be done differently.”
Flickr photo by Gerald R. Ford School of Public Policy