Sharing information key to halting cyberattacks

Stopping cyberattacks in the coming era of the Internet of Things will require better information sharing between government and the private sector, said former Homeland Security head Tom Ridge on Thursday in San Diego.

“We still don’t have that public-private partnership,” said Ridge at CyberFest 2015. “You do have information-sharing analysis centers, but we have a long way to go before we minimize risk.”

Ridge, a former Republican congressman, was the first Homeland Security Department Secretary under President George W. Bush. He and current business partner Howard Schmidt, a former cyberadviser to President Obama, answered questions about the current state of cyberthreats at the CyberFest conference organized by the nonprofit Securing our eCity Foundation.

CyberFest’s focus was security of The Internet of Things. As many as 50 billion devices are expected to be connected to the Internet over the next decade, according to industry research firm idtechex.com. Not all of these gadgets will be powerful enough to provide a gateway for hackers to launch attacks. But billions of them will be, said Ridge.

“Everybody has a role to play in cybersecurity,” he said. “If everybody is connected, then at some point in time you have a role to play.”

Ridge said government should share data about malware, precursors and cyberattacks with the private sector, and the private sector should share information about the attacks they’re experiencing with government.

For now, that’s not happening enough, he said. Part of the reason is businesses fear they’ll become targets of regulators.

“The Federal Trade Commission is fining companies who haven’t even been breached because somebody in government has decided that their security protocols aren’t good enough,” said Ridge. “Maybe the FTC should work with the OPM (U.S. Office of Personnel Management) before they start fining companies.”

In June 2015, the Office of Personnel Management announced that it had suffered a data breach that may have exposed the records of about 20 million people, mostly current and former government employees.

Cyber attacks have grabbed headlines over the past few years, with high profile breaches at Target, Home Depot, Sony and elsewhere highlighting the growing threat.

A study by research firm Ponemon Institute found data breaches on average cost organizations $6.5 million in damages this year — up $600,000 from last year.

Ponemon only counts breaches where 100,000 or fewer records were compromised. Extreme breaches such as Target are excluded so they don’t skew the data.

Technology to identify the perpetrators of cyberattacks — called attribution — is getting better, said Ridge. While organized crime is behind some data breaches, nations also are believed to be behind several cyberattacks in the U.S.

President Barack Obama has signed an executive that gives the government authority to respond to state-sponsored cyberhacks with sanctions or other measures, said Ridge.

“I think it is about time,” he said. “Until we push back, and I am going to leave it to the president to decide how we push back, they will keep doing it.”