For years, U.S. government officials have been trying to provide firms with actionable threat data in time for corporate officials to block hackers from compromising their networks.
The 2015 Cybersecurity Information Sharing Act (CISA) gave firms legal cover to provide threat data to the government; the Department of Homeland Security rolled out an automated threat-sharing program in 2016; and Republican and Democratic administrations have preached the information-sharing gospel at conferences across the country.
But today, amid consistent nation-state cyberthreats to U.S. companies, there is a growing consensus in Congress and in the private sector that these federal efforts are falling way short of expectations and needs.
Two years after DHS established its Automated Indicator Sharing (AIS) program, just six non-federal organizations are using it to share threat indicators with the government, a DHS official told CyberScoop.
“That’s unacceptable and it surely doesn’t reach the threshold I hoped it was going to achieve,” Rep. Jim Langevin, D-R.I., told CyberScoop.
In an interview, Langevin reflected on the shortcomings of AIS and the legislation that paved the way for it.
“Clearly, CISA has not yet reached the full potential that I and many others had hoped it would,” Langevin said.
“We had this grand vision that once we passed the bill that the legal obstacles and the perceptual obstacles would come down,” he said, “and that everyone would be enthusiastically accepting threat information from the government and be sharing threat information back with the government.”
That simply hasn’t happened yet.
Langevin said he was still hopeful that the information-sharing regime could be significantly improved. But given that it took years of horse-trading to get CISA passed, it is an open question whether the problem can be solved through more legislation.
A spokesperson for Rep. Dutch Ruppersberger, D-Md., another close follower of AIS, said the congressman wants DHS to brief House appropriators on how the department will get more companies to share threat data through the program.
“[I]n order for AIS to be successful, it has to be mutually beneficial,” Jaime Lennon, Ruppersberger’s spokesperson, told CyberScoop. “We need the private sector to step up and contribute more, but we have to make it easier, quicker and more fulfilling for them, too.”
DHS officials have echoed that point.
“Our shared success and security is dependent on the continued voluntary participation of private sectors,” Jeanette Manfra, DHS’s top cybersecurity official, told CyberScoop recently.
Manfra has said the department plans to update AIS this year to include automated feedback from customers on what they are doing with the threat data.
Some good with the bad
AIS is not the only information-sharing game in town – it is simply DHS’s effort to do it at machine speed. The current struggles notwithstanding, Chris Cummiskey, a former DHS official and current cybersecurity consultant, said the department has come a long way in its threat-sharing efforts.
“Only in the last several years has the department been in the position to collect the kind of [threat] data that would be usable” by the private sector, he told CyberScoop. DHS’s ability to pass the data along is maturing, he added, through the growth of its 24/7 watch center known as the National Cybersecurity and Communications Integration Center.
And while the amount of private-sector data going to the government through AIS is not flattering, much more information appears to be flowing in the other direction. More than 260 federal and non-federal entities, and 11 international computer emergency response teams are connected to AIS, according to DHS.
There are also increasingly robust information-sharing efforts outside of government. The nonprofit Cyber Threat Alliance (CTA) for example, disseminates threat information to its corporate members, which include Cisco and Symantec.
Ahead of the announcement last month that alleged Russian hackers had assembled a massive botnet targeting 500,000 routers, Cisco was able to share malware samples so that CTA members could respond to the threat, according to Neil Jenkins, CTA’s chief analytic officer.
By the time Cisco’s threat intelligence unit published a blog on the botnet, many CTA members had already applied protections against the threat, Jenkins told CyberScoop.
Such private initiatives are encouraging, observers say, but the one thing they can’t generate is classified threat intelligence. Industry executives want the government to get that classified data into the hands of more corporate officials — and to declassify it more quickly to reach a wider private-sector audience.
Some executives are mystified as to why the U.S. government — the gatekeeper of untold volumes of digital footprints — apparently still struggles to provide timely information that companies can’t get from a private cybersecurity service.
“I don’t have an answer as to why it’s so difficult to get context sometimes” with government-provided threat data, Sarah Urbanowicz, chief information security officer for engineering firm AECOM, told CyberScoop.
The “context” that Urbanowicz and many other executives seek might include qualitative analysis to complement the technical details provided on hackers. But that context is often at odds with demands for getting information a machine speed.
Scott Goodhart, chief information security officer of power firm AES Corp., called for a frank discussion with the government on the challenges it faces in pushing threat information out.
“If you know there’s a Chinese threat coming in or something, I don’t care what technique or method they use necessarily to get in, tell me the information so I can feed my systems and block it,” Goodhart told CyberScoop.