Over classification stymies threat-info sharing
- By Chase Gunter
- Jun 19, 2017
The most effective way to face down the next WannaCry, according to former U.S. Chief Information Security Officer Gregory Touhill, is better information sharing between the public and private sectors.
Speaking at a joint hearing held by two subcomittees of the House Science, Space and Technology Committee, Touhill said that global ransomware attack "could have been much, much worse."
"Public private partnerships are an instrumental tool" in preventing the next WannaCry, Rep. Darin LaHood (R-Ill.) agreed. He praised another witness, Kryptos Logic CEO Salim Neino, as a case in point -- noting it was a Kryptos employee who first identified the WannaCry "kill switch" that enabled governments and other organizations to contain the ransomware's spread.
However, better information sharing between government and industry is inhibited, Touhill said, by "over classification of information by the government."
Touhill noted that a disproportionate amount of information marked top secret was at the same time widely available in the public domain. One fix? "Change the default setting," he suggested, so that more information is initially unclassified. One study has shown, he said, that classified information appears online in about seven days anyway.
This transparency would assist in preparation for cyberattacks, Touhill noted -- a point echoed by Charles H. Romine, director of the Information Technology Laboratory at the National Institute of Standards and Technology.
Such preparations are not always about prevention, he stressed. "We are often thinking about detection and prevention of attacks," he said. "We don't pay enough attention to response and recovery.
Touhill agreed, adding that serious planning and preparation should involve exercises and drills that include personnel at all levels.
Regular drills "including the C-suite" would give preparation with the urgency it deserves, he said. "I think that's a conversation that boards and C-suites should be having because, frankly, if I'm somebody who's an investor in a company that's attacked, I'm going to be asking, 'Why weren't you doing due care and due diligence?'"
This article was first posted to FCW, a sister site to GCN.
Chase Gunter is a former FCW staff writer.