‘Treat us like adults’: CISOs air criticism of U.S. gov’t cyber outreach
The chief information security officers for Yahoo, Netflix and Block criticized the federal government’s engagement efforts with the private sector, raising several concerns about the perils of incident reporting and the conduct of certain agencies.
Rob Silvers, Under Secretary for Strategy, Policy and Plans at the Department of Homeland Security, told a panel on public-private cybersecurity engagement at the Billington Cybersecurity Conference that he wished companies were more interested in engaging with the government after cyberattacks.
While he acknowledged that it is on the federal government to show the value in reporting incidents to certain agencies, he said some companies “can be too risk averse” when it comes to working with the government on cybersecurity.
“As a lawyer, I can say a lot of that lies with the lawyers. It’s a reflexive risk aversion of ‘Oh we could be harmed if we speak, if we disclose to someone else what has actually happened here.’ Having been on both sides, you actually see very few instances in which a company has been very badly burned by being too transparent and working too closely with federal authorities who can help them,” Silvers said. “Usually boards and audiences and customers applaud the taking of the right steps to protect the company, their customers and others.”
But the other members of the panel — Netflix CISO Vitaly Gudanets, Block CISO Jim Higgins and Yahoo CISO Sean Zadig — went on to explain precisely why many major companies are reticent to get involved with government agencies after an incident.
Higgins said that as a financial institution, Block has found that it is “painful to share with the United States government” because there is not a universal agency or department to contact.
Higgins and Zadig also took issue with the one-way information sharing that they felt infantilized organizations with their own sophisticated intelligence to share.
“We really need to be treated like adults. That’s the key area where we have seen some recent improvements. We need to not be told what to do,” Zadig said.
“Because we are a service provider, there are 4th Amendment issues, there are agent of government concerns that we need to navigate. If a government agency shows up and says ‘you need to do this’ or ‘give us this information,’ we’re going to disengage and pull back.”
Zadig said the government agencies that Yahoo works with successfully are “well calibrated” to partner with private industry and respect the sensitives or unique legal equities that they may have.
While more agencies and field offices are getting better about working with companies like Yahoo, Zadig explained that they sometimes get conflicting requests from different agencies or even field offices within the same agency asking for differing information.
Gudanets acknowledged that one difficulty the U.S. government has is that there is no one way to engage with companies across such disparate industries. The issues Netflix faces differ greatly from other companies, according to Gudanets, who added that like the other CISOs on the panel, the “partnership” with government agencies often feels one directional.
“There is a lot of confusion about who you engage with. You have new agencies coming to the table. Now the SEC has new requirements,” he said. “It doesn’t seem like there is consistency yet of how to engage with the public sector but it is moving in the right direction.”
Silvers noted that the problem the Department of Homeland Security, CISA and other government bodies face is that they have to offer a menu of options to organizations of all levels of cyber sophistication.
The government has to offer help to small businesses, non-profits, K-12 schools and others who are underfunded and lack the staff to handle the kind of information sharing that companies like Yahoo, Netflix and Block require.
“We’re trying to create risk strategies that companies can take on. CISA is weeks away from publishing cybersecurity performance goals that will have performance-based outcomes that are industry agnostic and that companies can ascribe to,” Silvers said.