Private business must take the initiative in addressing cyber threats and not wait for government, according to Howard Schmidt, the former White House cyber security co-ordinator for the Obama administration.
“We did not get where we are today by waiting around for government; we have the private sector to thank for driving the evolution of the internet,” Howard Schmidt told Computer Weekly.
For example, business has demanded and deployed multiple technologies to combat phishing so that now relatively few attacks reach corporate email users, said Schmidt.
“It is not correct to say that the private sector has not responded to cyber threats, because private companies have acted,” he said.
However, that is not to say government does not have a role to play, said Schmidt, because there are two important things they can do.
“First, in exercising legal authority to investigate criminal activity and protect citizens, they can gather valuable information on cyber threats and techniques, which they can share with corporates,” Schmidt said.
Second, said Schmidt, government intelligence agencies – such as the UK’s GCHQ – also have a great deal of information about sources of attacks and attack methods that can be shared with business.
However, he said in his experience, much of this information is often considered as “classified” unnecessarily. Consequently it takes weeks and even months before it can be shared.
While at the White House, Schmidt campaigned for changes that would enable cyber attack information to be declassified and shared faster, particularly when critical infrastructure is involved.
All governments need to review and revise any legislation that get in the way of sharing useful information about cyber crime with industries, sectors or individual companies affected.
“In one US case in 2011, it took 102 days from when an attack was reported to share the information with the private sector, which is unconscionable,” said Schmidt.
There are added restrictions, he said, on sharing information about cyber attacks received by an intelligence agency in another country.
Schmidt believes all governments should be giving urgent attention to setting up mechanisms for making such information “actionable, timely and viable.”
“Although some progress has been made, it is not fast enough. We cannot wait for governments. Private industry has to make a start in sharing the cyber attack information it holds,” said Schmidt.
“It is incumbent on every CEO, industry sector and supply chain member to find ways to share this important information.”
On the topic of cyber warfare, Schmidt believes it should be all about defence. “Everyone has an indisputable right to defend their networks,” he said.