For Alexander, the privacy concerns are real and necessary, but hardly an insurmountable obstacle.
"Right now, the ability to share real-time information and threat information is complicated and there are legal barriers to it. We have to overcome that. Now, I'm not talking about sharing personally identifiable information. We don't need that. We just need to share threat information on malicious software and the problems we see on equipment," Alexander says.
Cybersecurity Policy Legal Liability Concerns
Another critical aspect of enacting an effective information-sharing regime will involve shield provisions to protect companies that participate in good faith from legal liability, according to Alexander. Companies must have every incentive to share threat information with the relevant authorities for such a program to operate effectively, he argues, and that would necessarily include meaningful liability safeguards.
"We need to protect them from lawsuits. Where's the liability protection that comes in there? We've got to get that right," Alexander says.
While the discussion over information sharing raises sharp concerns from civil liberties groups, the notion that a more fluid exchange of threat data could improve the nation's security posture is itself less controversial.
That helps explain why a bill like CISPA takes a fairly narrow focus on that one aspect of the debate, while shying away from the more comprehensive approach that some recent proposals in the Senate have contemplated.
A key fault line in those discussions has been the extent to which the federal government should involve itself with oversight of the security systems in place to protect critical private-sector systems.
Alexander acknowledges that federal oversight is a thorny issue, and stressed that infrastructure operators in different sectors can't all be held to a uniform standard that would pave over significant distinctions in their systems and industries. In that light, he praised the executive order that President Obama issued earlier this year for its effort at beginning a dialogue between the government and private-sector firms to help encourage a greater understanding of the nuances of different industries and the security challenges they face.
"Where this gets really hard is when we say now we want to set standards and reporting vehicles. The first thing that everybody gets really nervous about is [that] they're going to set up a framework that's going to be a bureaucratic nightmare. And the answer is, this is hard," Alexander says. "How do you establish standards across the country where all the different sectors are at different levels of compliance and everyone looks at the network differently? And the answer is, that's almost impossible to do ..."
Sign up for CIO Asia eNewsletters.