A recent article revealed that the United States government has gotten better at providing unclassified cyber threat information to the private sector. Law enforcement and intelligence organizations have greatly cut down the time it takes to provide unclassified versions of cyber threat indicators (a term that can reference that can refer to a variety of technical data that includes but is not limited to IP addresses, malware, e-mail addresses, etc.) to the Department of Homeland Security (DHS) to disseminate promptly to the private sector. The process had traditionally been slow as it involves an originating agency to determine if the indicator has been properly vetted without exposing sources and methods, per the article.
Speed of delivering pertinent threat information is certainly an improvement in a domain where attacks occur in seconds. A November 2017 report from the DHS Office of the Inspector General provided a report on actions taken during 2016 in fulfillment of direction mandated by the Cybersecurity Information Sharing Act of 2015 with regards to the sharing of threat indicators. Per the report, despite successfully classifying indicators and defensive measures, it still faced challenges effectively sharing such information across the public and private sectors. The report advocated enhanced outreach and a cross-domain information processing solution.
One of the steps taken to ameliorate this situation is the improvement of releasing indicators promptly may have to do with DHS’ Cyber Information Sharing Tool that was set to be updated and upgraded in 2018. Via the automatic indicator sharing tool (a capability that enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed), DHS is able to disseminate such information directly to those organizations that have signed up for it. As of January 2018, more than 200 private sector and government entities had done so, though it appeared per the article that it was believed that most weren’t using the information that they received to automatically block hostile network traffic.
Information sharing continues to be an important endeavor between the public and private sector as such data greatly assists in the detection, mitigation, and remediation efforts of organizations. It also is a confidence building measure to strengthen the relationship between private companies and a government that has been criticized for not doing an adequate job in cyber security. Much of this private sector outreach falls on DHS’ National Cybersecurity and Communications Integration Center (NCCIC). Per its website, the NICCIC serves as the hub of information sharing activities for the Department to increase awareness of vulnerabilities, incidents, and mitigations. The NCCIC’s Cyber Information Sharing and Collaboration Program is the cornerstone on which the public-private information sharing rests.
An April 2018 report by the Government Accountability Office (GAO) found that DHS needed to enhance its efforts to improve the security of public and private sectors. Per the GAO findings, DHS had not developed most of the planned functionality for its National Cybersecurity Protection System information-sharing capability, and moreover; “DHS did not always agree about whether notifications of potentially malicious activity had been sent or received, and agencies had mixed views about the usefulness of these notifications.”
It’s good to see that bureaucratic red tape is being reduced especially since cyber threats are pervasive, ongoing, and quick. Any effort that reduces the time to get information out of the classified realm and into the hands of the private sector that has often been cited as owning approximately 85 percent of critical infrastructure, a target-rich environment that is increasingly attracting hostile actor interest. With only 200 customers signed up to DHS, such an undertaking is destined to spin its wheels. DHS seems to be making the right moves to improve cyber security to include the recent establishment of its new Risk Management Center. However, what is consistently lacking is getting private sector organizations on board, a critical component of information-sharing. While it does not appear that the private sector can be mandated to get on board, something needs to be done to get everyone on the same page whether that be an articulate communications strategy, an incentive-based program, or some combination thereof. Regardless, DHS is demonstrating its commitment to bringing the private sector on board. When the private sector will finally accept the outstretched hand it’s been given still remains to be seen.
This is a guest post by Emilio Iasiello