...all the time, and we've seen this over the years, where it appears the last hop [for stolen data] is within a specific country, or in one case, a specific home, and in reality, it was a compromised computer that somebody was controlling from another country completely. In some cases we've seen successful prosecutions, but for the most part, if somebody is very sophisticated, attribution is tremendously difficult.
Intellectual property — that's the crown jewels for businesses. It needs to be protected.
Surely the NSA or other government agencies have a good idea about attribution of attacks? But businesses are in a different position.
I wouldn't necessarily say that. I know one company in particular where the CEO and many of the staff used to work for me when I was in defence. They have the same mentality. They use very much the same tools, and have the same capability to see very similar things [to the government]. As a matter of fact, oftentimes, some of these companies are the ones that identify [attacks] for a client, and provide information to the government. There are some great technical capabilities, some a little bit better than ours.
How does government continuous monitoring hook into public and private partnerships for data-sharing?
The context of continuous monitoring on government systems is that we are looking to view the dot-gov environment as a single enterprise, as the dot-mil environment for a long time has been a single enterprise. Three parts of that are: strong authentication, trusted internet connections, and continuous monitoring.
Continuous monitoring means, effectively, it's not a matter of reviewing logs six months down the road when you found out you had a problem. It's having a system in place so that when something does happen, a) you're alerted, and b) you can remediate, and get back to business.
Some businesses feel some parts of law enforcement and the private sector share information, but that certain areas of government remain closed. Is it always going to be a one-way street?
No. As a matter of fact, we've proposed legislation that we think is vitally important to helping the private sector do more to protect critical infrastructure. One part of that is the information-sharing piece. We're looking for specific authority to share information with the private sector, to make sure it has better protection in place so when they share with each other there's less concern about anti-competitiveness and antitrust.
But also, [businesses need] the ability to share with the government without putting their proprietary information in jeopardy. So, it's not a total one-way street, but we're trying to make sure it's more of a two-way street. You'll probably hear from the [FBI] director talking about the FBI's effort with the Secret Service to share information very proactively, and actionable information with the private sector.
We're also moving very similarly in the intelligence community, which traditionally has been very close hold for very proper reasons. You have GCHQ — you name the intelligence agency — which says, "We, to help better protect critical infrastructure, have to develop and devise a mechanism by which we can protect the source and methods, protect the pieces that make us successful. But what we do, we give private sector, say, [information about] a piece of malware so they can go and stop that from infecting their system."
Any ideas how that would work?
The mechanics of it, I do. But it's probably not something I would talk about publicly.
There are some privacy concerns about increased data-sharing. How are you going to get over those concerns?
In our proposed legislation we have very specific language protecting privacy. For example, in information-sharing, if a private-sector company in critical infrastructure is sharing information with the government, there're specific rules on stripping out all personally identifiable information, and only providing information on the malware or the cyberthreats.
There's very specific language in the proposal we put forward to Congress in a whole breadth of areas including privacy impact assessments on things that we're doing. Working with privacy advocates, those are the things to make sure we've got the right language in there, the right aspect, to protect privacy while enhancing security.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.