Easing DoD-Business Collaboration Limits ProposedLaws Limiting Cooperation Seen Hampering Cybersecurity Innovation
Rep. Loretta Sanchez, the California Democrat who chairs the Terrorism, Unconventional Threats and Capabilities Subcommittee, expressed concern that existing laws and regulation limit collaboration between the military and private sector in developing solutions to protect government IT.
A U.S. Strategic Command study revealed that about 10 laws exist that place some restrictions on military/private sector collaboration on cybersecurity, David Bodenheimer, a lawyer who co-chairs the American Bar Association's cybersecurity and homeland security committees, told the panel. "We do need to look at some of those laws to determine whether there needs to be additional authority for the Department of Defense to share the information with private sector," Bodenheimer said.
Tech America Chief Executive Phillip Bond testified those restrictions on collaboration arose years ago, and though they may have made sense then, today they represent obstacles to needed collaboration between the military, business and academia. The private sector, he said, has gained an understanding of cyber's netherworld that should be shared with military. "Leading thinkers and leading companies are really talking to some of the folks who are engaged in this kind of gray world between perpetrators and the rest of the world," said Bond, whose association serves as the chief lobbying arm of major IT corporations. "We can learn more about what the adversaries are doing through academic and private-sector partners so we get to that forward-looking agenda."
Cornell University Computer Science Professor Fred Schneider told the subcommittee a more open collaboration than now exists between the Defense Department and private sector would expose to our adversaries what works and doesn't work in securing critical IT systems. Still, he called for more openness. "It seems pretty clear that we over-classify content with respect to cybersecurity,, and there's a great risk that academics and others who don't have access to this information will solve the wrong problem," Schneider said.
Bodenheimer noted the Strategic Command report proposed establishing not-for-profit organizations to vet sensitive information exchanged between the military and private sector as a means to encourage more collaboration. "I also agree that over-classification has been an issue," he said. "We need some institutionalized methods such as technology clearinghouses with restrictions on access, but still [provides] access so that industry and the Department of Defense can, in fact, work together."