Cybersecurity expert explains importance of NCCIP Act
“This is a Cybersecurity 911 system for our critical infrastructure,” said Tom Kellermann regarding the National Cybersecurity and Critical Infrastructure Protection Act of 2013 (NCCIP).
Kellermann is the managing director at Alvarez & Marsal, a global professional services firm that offers strategic guidance and advisory services to other businesses. Kellermann is a Certified Information Security Manager (CISM) with 17 years of experience in cybersecurity, risk management, and incident response. He served as a commissioner on the Commission on Cybersecurity for the 44th President.
The NCCIP Act is currently pending legislation in the House of Representatives, but Kellermann is optimistic that the bill will be approved later in 2014.
The NCCIP is a unique piece of legislation that will allow the DHS to take a more active role in the realm of cybersecurity by forming a partnership with private businesses to share information, provide support responding to the cybersecurity threats, and offer education and training to businesses that request it.
“It will allow the DHS to take over the cybersecurity response for private industry. The legislation also allows the companies to request assistance, receive cybersecurity audits to expose vulnerabilities,” he explained.
“The NCCIP was a piece of larger cybersecurity bill that did not pass in the House of Representatives. It has been in development for three years,” he said. “Other countries have been providing this type of support, but this would be a first in the U.S.,” he said.
Kellermann expressed strong support for the NCCIP Act. “It has been very difficult for private businesses to get cyber security support, except from the Secret Service or the FBI,” he explained while mentioning that the legislation is critical to providing the support that businesses need to survive in this climate. "It will act as a clearinghouse for cyberattacks and assistance.”
Kellermann went on to discuss some of the consequences of cybercrime for private businesses. “Beyond capital loses, it undermines consumer confidence and creates systemic risks,” he said. “If you attack one business, you could attack other businesses in the same industry and create an even larger problem until it begins to spread like a disease.” He believes that the support of the DHS will “help deal with the infestation and colonization of cybercrime.”
The cybersecurity threats facing some companies not only include cyberattacks and security breaches designed to expose financial data, but intellectual property theft by nation states, criminal syndicates, and foreign competitors, which he believes is an even more serious issue. “Ninety percent of business assets are digital now and they are dependent on computers.” He explained that intellectual property for businesses could include proprietary secrets including formulas, algorithms, analytics, software architecture, and even future plans.
Participation in the program will be optional for businesses, which is an issue that concerns Kellermann. “There will be businesses that will not accept the assistance and become the islands from which the disease spreads.”
He mentioned that some companies have already expressed some resistance to the legislation. When asked why, he explained, “Some of them do not want to annoy foreign governments that they already work with. They would like to maintain a lower amount of legal liability to say that they were unaware of these threats. Some of them view cybersecurity as just another added expense.”
Outside of the legislation, he believes that businesses should do more to “create a forward leaning cybersecurity strategy.” He explained that businesses “put too much emphasis on perimeter defenses like firewalls.” Instead, he advises them to “build super-max security prisons around data instead of castles and moats because the cybercriminals are already there.” He elaborated by saying that the system should lock intruders inside and prevent them from accessing the data.
In addition to that, he stressed the importance of performing risk assessments and advised businesses to hire cybersecurity experts. He mentioned that businesses should carefully evaluate third party software as some of it may potentially put them at even higher risk. Finally, he advised businesses to arrange partnerships with forensics firms to deal with incident response and forensics after cyberattacks. He added, “Businesses should allow the firm to find the thief, so that they can focus on recovering from the incident.
“Companies should know how to take a hit and still survive.”