The Obama administration recently announced the creation of the Cyber Threat Intelligence Integration Center (CTIIC), a new governmental agency created to prevent cyber threats by analyzing and integrating digital intelligence collected through government and non-government sources. The agency is part of the recent overture by the federal government to highlight the importance of increasing cyber security measures through a more proactive and offensive approach. The CTIIC, formed via executive order, will initially be staffed by 50 officials from existing government agencies; however, there continues to be controversy surrounding the funding of the $35 million dollar agency.
The agency will work to “fill the gaps” in current cyber security efforts by coordinating cyber threat assessments through real-time data-sharing and conciliation of information among existing government entities, such as the Central Intelligence Agency (CIA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI). President Obama commenting on the formation of the new cyber intelligence hub at last week’s White House Summit on Cybersecurity and Consumer Protection, stated, “[j]ust like we do with terrorist threats, we’re going to have a single entity that’s analyzing and integrating and quickly sharing intelligence about cyber threats across government so we can act on all those threats even faster.” Despite the president’s enthusiasm regarding the new government agency, senior White House officials believe the success of the CTIIC lies in the hands of the private sector.
Data breaches are increasingly predominant in the private sector. The CTIIC’s formation comes specifically as a response to the November 2014 high-profile hack of digital data of a prominent company, which Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco, in her speech announcing the formation of the CTIIC, cited as a “game changer.” However, the hack represents merely one of several recent cyber attacks on U.S. companies, with the major breach of health insurer, Anthem, being the most recent.
Approximately 85 percent of the United States’ critical infrastructure is housed by the private sector. As the private sector is the target for some of the most dangerous cyber security threats, the CTIIC will depend on a “steady stream” of data from private organizations to yield the aggressive results intended. “To truly safeguard Americans online . . . we are going to have to work in lock-step with the private sector,” Monaco said in her speech at the Wilson Center on February 10, 2015. The goal is that the CTIIC will integrate the cyber threat data collected from government agencies with analogous data that is freely reported to the agency by private companies in order to best assess data breach threats. The CTIIC will then rapidly report the results of the analysis back to the private and public sector to implement preventive measures.
For now, the private sector’s cooperation with the CTIIC is voluntary. However, the White House continues to advocate for legislation to encourage threat intelligence sharing between the public and private sector, including federal data breach notification rules and data sharing regulations that will impact private companies in every industry and in every state. Further, companies wishing to cooperate with the CTIIC need to address rising privacy concerns and legal implications of sharing data. In a rapidly expanding and ever-changing cyber security climate, private companies need to continually assess the delicate balance between the privacy of their customers, data sharing with the CTIIC, compliance with expanding data regulations, and implementation of concrete preventive data breach measures in their own corporate cultures.
Even with the formation of the CTIIC, “[t]he private sector cannot and should not rely on the government to solve all its cybersecurity problems,” Monoco said. There are policies and protocols that businesses can and should take to protect themselves and their customers from cyber security threats. “The threat is becoming more diverse, more sophisticated, and more dangerous,” Monaco said. “Cybersecurity is and will remain a defining challenge of the 21st century . . . there’s no putting this genie back in the bottle.”