After the Senate's passage of the (CISA) on Tuesday, we turned to the Cyber Threat Alliance for some perspective on the bill.
The alliance includes four companies, Palo Alto Networks, Fortinet, Symantec and Intel Security Group, and its goal is to share information. It broadly supports the Cybersecurity Act, with some reservations.
The big issue is, of course, privacy and how much the government can be trusted. At the same time, the industry, and those it aims to protect, face an increasingly sophisticated and nimble army of hackers.
Intel Security Group Senior Vice President Christopher Young put it this way, "In general, we do support what focuses on threat intelligence sharing, but we have to make sure that privacy is effectively managed and protected in the right way."
"Our No. 1 goal is protecting our customers' privacy, so we can't be in a situation where that's compromised," he said.
Young largely praised the government for engaging with the private sector, noting an ongoing dialogue around a complex set of issues. The bill, though has taken four years to get to the Senate; meanwhile, cyberattacks seem to have proliferated, wreaking havoc on individuals and companies alike. Writing legislation that addresses current and developing challenges in the space is difficult, he said.
Symantec CEO Michael Brown voiced concerns about the act and says that — in its current form — it does not go far enough to protect privacy.
"I understand the provisions of the bill allow for anything shared with the government to be shared with all the agencies, including the NSA," Brown said. "Privacy and security are really flip sides of the same issue, and we need to make sure that we have the strength in security and the strength in privacy equal."
Brown suggested that, rather than sharing information directly with the government, an independent civilian agency act as an information clearinghouse.
Palo Alto Networks CEO Mark McLaughlin shared similar concerns around privacy but focused more on the opportunity.
He sees the vast amount of data available to "good guys" as a key advantage that has not yet being fully realized: "Nobody's able to leverage those networks yet, but that's changing a lot through technology and the intelligence we are doing with things like the Cyber Threat Alliance."
The legislation also protects companies from antitrust and liability concerns when they do share information, protection McLaughlin said will indeed help facilitate the sharing of more information.
Interestingly, there are areas where some tech-security executives would like to work even more closely with the government.
Ken Xie, CEO of Fortinet, would like to see more government oversight in terms of regulating the cybersecurity industry, something the act does not address. Xie said the main problem is not a lack of information sharing, but rather, too much of it. "If the bill could address some of that, it would be very helpful," Xie said.
"There's so much information, so much data, so much noise, and the consumer gets confused," Xie said.
In a manner similar to the way the FDA regulates pharmaceutical companies, Xie would like to see a new government entity regulate the cybersecurity industry. "In the last two years, there are more than 1,000 companies — start-ups — in this space, and they're all marketing different solutions in cybersecurity and that's where a lot of customers get confused."
Intel's Young would particularly like to work more closely with government on training the next generation of professionals to thwart hack attacks.
"There's a massive talent shortage in our industry" he said.
Young would like to establish a "cyber corps," something like the Peace Corps, but for hackers to help defend public and private institutions against cybercriminals. "That's one place where I think the government and private industry can come together to make a difference in terms of training people, getting more people into the arena of cybersecurity," Young said.