Getting Businesses to Share Threat InfoOvercoming Hesitancy to Reveal Data to Law Enforcement
Although businesses understand the benefits of sharing cyber-threat information with law enforcement, they too often let perceived legal constraints and other qualms prevent them from collaborating, says Mary Galligan, the former head of the FBI's New York cyber unit.
For example, some businesses are concerned about how regulators would react if they share information with law enforcement, Galligan says in an interview with Information Security Media Group (see transcript below). "At times, there was hesitation from businesses based more on the uncertainty ... on how it was going to affect their relationship with ... regulatory agencies," she says.
That places the onus, at times, on law enforcement to get businesses to cooperate. "[It's] the government recognizing that the private sector has information that the government needs and the private sector recognizing that the government has information that they need to help protect themselves," says Galligan, who recently joined the consultancy Deloitte and Touche as a director within its security and privacy practice.
The FBI encourages businesses to participate in its outreach program before a cyber-incident occurs so that they would know how to respond to an intrusion, Galligan says. "[That way], they would understand the obstacles and, perhaps, could better prepare for them beforehand and have a cyber-incident response plan that took into account all the different issues," she says.
In the interview, Galligan also discusses:
- Limits law enforcement and governments face when working with business on cyberthreats and cybercrime;
- How organizations in different sectors need to assess cybersecurity risk;
- The impact of President Obama's executive order to create a cybersecurity framework on the IT security of different sectors (see NIST Issues Preliminary Cyber Framework).
As special agent in charge of the FBI's New York field office's special operations and cyber division, Galligan led more than 400 employees working in technical and physical surveillance operation. Galligan supervised the FBI's investigation into the Sept. 11 terrorist attacks and oversaw a team of 75 people. She joined the FBI as a special agent in 1988 and has experience in criminal, terrorism and intelligence-gathering missions. In her new role at Deloitte, she advises senior executives at Fortune 500 companies on crisis management challenges, such as addressing cyber-risks.
ERIC CHABROW: First, take a few moments to tell us about yourself, your work in cyber at the FBI and your new job.
MARY GALLIGAN: I worked in the New York office of the FBI working on cyber-investigations, both national security and criminal, for over three years with a very, talented group of special agents and analysts. Now, I'm at Deloitte hoping to help their clients understand a little bit better the threat from adversaries to our technology, and to work with them on explaining how the government, along with the private sector and academia, needs to work together to try to come up with solutions to the threats.
Public, Private Sector Relationships
CHABROW: On that point, how would you characterize the relationship between the government, law enforcement and the business community in battling cyberthreats and cybercrime? What are some of the obstacles that need to be overcome?
GALLIGAN: The way I would characterize it from my experience in the New York office is it was definitely a relationship that was building information sharing, the government recognizing that the private sector had information that the government needs and the private sector recognizing that the government had information that they needed to help protect themselves. Two big obstacles are legal issues because the law has not kept up with the technology, as well as classification of information that the government has and how do you get that in a format that can be shared at an unclassified level. That was something that the FBI was working very hard at as I worked in the cyber program - to get the information to businesses so they could protect themselves.
CHABROW: Are there legal restraints that the FBI faces in getting that information to a business?
GALLIGAN: Constraints in getting it to the business would be more on the classification level. ... In other words, there are consent issues; there are privacy issues. It's a matter of working with a company and figuring out the best avenue for the government to help, if they're in a position to. One of the ways that we did that in the New York office was a lot of outreach, a lot of education and a lot of briefings to companies before something had happened so they would understand the obstacles and, perhaps, could better prepare for them beforehand and have a cyber-incident response plan that took into account all the different issues.
Hesitation in Sharing Information
CHABROW: Did you sense there was a lot of hesitation with businesses in dealing with the FBI because they didn't want to reveal what's going on in their own operations?
GALLIGAN: At times, yes, there was hesitation from businesses based on more of the uncertainty, especially if it [was] a publicly traded company. How is working with the FBI going to affect what they were required to notify the SEC about or how was it going to affect their relationship with other regulatory agencies? The way we would approach that is we would have those conversations about exactly what happens when they work with the FBI. Sometimes we had teams that included members from other agencies, like the Secret Service or the FCC. There was hesitation, and through better dialogue some of that hesitation has alleviated.
Importance of Legislation
CHABROW: As you know, there's legislation that has passed the House of Representatives, the Cyber Intelligence Sharing and Protection Act, known as CISPA. There's some holdup in getting that passed because there's a threat of a presidential veto over aspects that deal with privacy, as well as liability protection for businesses that do share information with the government. How important is it to get legislation like CISPA enacted?
GALLIGAN: I think it's important to get the right kind of legislation enacted. ... For example, right now there are 46 different states that have a data breach law but there's no federal data breach law. What's the right answer for that? I think there needs to be a lot of debate about that, but I think we need to make it easier for businesses and private sectors to know what to report, who to report it to, and to encourage them and build an environment where they're encouraged to report it so that we can all be safer.
Simplifying Breach Reporting
CHABROW: As you know, it's difficult to get things through Congress. People have been talking about national data breach legislation for years, and Congress really hasn't done anything about it. In lieu of something like that, what's the best that can be done, and what avenues can be used to simplify reporting of these breaches, for example, that would be consistent nationally?
GALLIGAN: I think it's going to be interesting to see what comes out of the president's executive order that he signed in February [calling for a cybersecurity framework of best practices for protecting critical infrastructure]. We're in the midst of coming up with a protocol for the different sectors of industry. Those will be voluntary protocols. It will be interesting to see what they are because those will be the first time we'll have something on a national level. I know that companies across the country have been participating in workshops. It will be interesting to see what they are because it will create a baseline.
Another way that information is being shared is [through] private sector [initiatives], whether it's through the different ISACs that DHS has set up, like the FS-ISAC. The banks and the financial institutions share that information themselves because there should be no competition when it comes to security. Sometimes you see the private sector coming up with their own ways to share best practices, and I think that's another good avenue.
Consequences of NSA Spying?
CHABROW: Do you sense any kind of hesitation on businesses cooperating with the federal government or law enforcement agencies because of the revelations of NSA's electronic spying?
GALLIGAN: No, I do not see hesitation because of that.
CHABROW: Businesses don't worry about the NSA or someone getting into their computers and saying, "Why should I cooperate?"
GALLIGAN: Working for the FBI and representing the FBI to businesses, I could represent what the FBI was going to do with information. With the entire issue with national security and civil liberties, we all need to strike the appropriate balance. There's a lot of debate that needs to be done in that area.
The Context of Cybersecurity
CHABROW: When you were named to your new job, you said organizations need to think about cybersecurity in the context of their industry, government and law enforcement. What do you mean by that?
GALLIGAN: What I was referring to is there are all kinds of different adversaries that are looking to steal information. The first thing that companies need to do is [decide], "What industry am I in, what information do I have that's important and why would somebody want that?"
The second thing about the government is what we've already covered. Is there information the government has that can help? What do I need to know about what NIST is going to be coming out with? That's what I'm referring to. ... One solution doesn't fit all. Every industry has to look at themselves; every company has to look at themselves. ... What's that crucial data that I have to protect and why would someone steal it? Because there's a difference between someone who's a hacktivist and wants to take your information for those purposes or a cybercriminal who wants to take information for financial purposes. And then there's the espionage side of stealing intellectual property. I think that's one of the first things we have to do, step back and say, "What do I mean by cybersecurity? What do I mean by the threat to my particular firm?"
Evolution of Hackers
CHABROW: From your perspective working with the FBI in those years overseeing cyber, how have you seen the sophistication of the hacker evolve?
GALLIGAN: The sophistication of the hacker parallels the sophistication of technology. We have incredible sophistication of technology. I don't even think YouTube was in existence seven years ago. The more avenues or the more devices, the more things that are connected to the Internet - there's approximately 5 billion devices connected to the Internet right now, and by 2020 they estimate 20 billion - if you look at that, the more things that are connected to the Internet, the more vulnerabilities there are. I think that spear-phishing, while it's a simple tactic that an adversary can take, is still a very, very popular one and it still works very well. Once an adversary is inside the system, what happens has become more sophisticated.
CHABROW: The more we hear about different threats, it seems almost exponential in the sense that it's growing and it's hard to get a handle on.
GALLIGAN: Part of what I see is a lot of basic fundamentals. You see people say, "Oh, the threat is too big. There's nothing I can do about it." Then you start to ask questions about what kind of management they have on their devices. I think it's over 90 percent of all mobile devices of some kind or another are connected to corporate e-mail, but only a third of them have mobile security software on them. There's a lot of people that say, "The threat's really big, so I can't do anything about it." How many surveys do we need to see that the favorite password is 1234567? The basic steps need to be taken.
I use the analogy ... [consumers] want a car that keeps them safe in a crash, but they don't want to wear their seatbelt. It's the same thing with cybersecurity. I do think there are lots of things that can be done when a company takes a step back, does the proper risk assessment and then makes those governance decisions. Everybody in the company understands that security starts with them; it starts at that keyboard. Security starts at the keyboard and not the firewall. Those things I think are not being done to the level they should be.