The war on cyberterrorism requires law enforcement agencies and the private sector to develop guidelines and protocols for sharing information about network vulnerabilities and cyber attacks, government and industry leaders said Thursday.
"Face-to-face relationships are great, but we need to go beyond that," Chris Painter, deputy chief of the Justice Department's Computer Crime and Intellectual Property Section (CCIPS), said during a cyber-security forum at Computer Sciences Corp. headquarters in Falls Church, Va.
Painter led one of several workshops in which law enforcement and private-sector officials discussed obstacles to information sharing. Conference organizers said they closed those workshops to the media in order to encourage participants to discuss problems and ideas with as much candor as possible.
During a public portion of the conference, workshop facilitators later said many companies that are the victims of cyber attacks are afraid that reporting those crimes to law enforcement will result in public-relations nightmares, disrupt their operations and harm investor relations. But they said the workshops revealed that companies would be less reluctant to share that type of information if they had some idea of what law enforcement officials would do with it.
"If industry understood how law enforcement acted, when they would act, and when things would become public ... that would go a long way toward getting the right kind of reporting," Painter said. "Expectations need to be laid out for each side. What kind of information are they looking for, and what can they expect down the road?"
Scott Charney, Microsoft's chief security strategist, said information sharing would improve if law enforcement and industry worked together to establish "recognized procedures" about how cybersecurity information would be handled.
"If there were some sort of guidelines or protocols in place that both sides were educated on, then the process would move a lot more quickly, particularly in those cases where relationships of trust hadn't already been built," Charney said. "For example, if a case is going to go public ... does the company get input on a press release? Do they get input on the timing? How can they manage the information flow better?"
Jack Hanly, an assistant U.S. attorney in Virginia, said those types of protocols would be especially helpful for small businesses that fear the economic repercussions of notifying the government of cyber attacks. "They don't really have any idea what goes on in law enforcement," Hanly said.
The Information Technology Association of America (ITAA), which co-hosted the forum, plans to assemble a working group to develop protocols and guidelines based on the ideas that emerged from the workshops, according to ITAA President Harris Miller. Miller said the working group also will look for ways to remove the "scary factor" from industry's perception of law enforcement agencies.
"Most people think that if we call law enforcement, all the cops will show up with all their blue jackets with the alphabet soup on the back," Miller said. "If we're going to get beyond that, it's going to take some real dialogue."