Information sharing among private sector companies and with the federal government suffers from a tragedy of the commons, lawmakers were told Wednesday — everyone wants to receive information about cyberthreats, but few are prepared to make the effort to give back.
“To do information sharing, that takes work,” said former White House cyber official Rob Knake, testifying on behalf of the Global Resilience Institute before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection. Additional staff have to be hired, or existing ones assigned away from their regular duties, he said. Especially during the immediate aftermath of a hack, “That’s the last thing you want to do.”
But it is precisely at that time that the value of sharing is greatest, he added, calling that “One of the hardest problems in information sharing — when you’re attacked, sharing information doesn’t help you, it helps everyone else. When an incident happens, what everybody wants to know is why did that happen and what can they do with to protect themselves … are they being targeted by the same adversaries?”
At the moment, he said, “We have no mechanism to do that other than leaks and media reports and rumor innuendo and surmise.”
Knake was part of a panel of experts and former officials who painted a downbeat picture of the cyberthreat information sharing programs established by DHS in the wake of the 2015 Cybersecurity Act which created a legal safe harbor for companies sharing information with the federal government.
Even to just receive information from the department’s Automated Indicator Sharing program, companies have to on-board special technology and sign a boutique legal agreement with DHS, added Patricia Cagliostro, the federal solutions architect manager for Anomali. “It can take weeks for them to actually get connected” to AIS, she said.
“The first thing is to make it easy for people to do,” she said. “Trust and ease of use are critical, Threat intelligence is the cyber no-fly list,” she said, “if it’s not integrated with security controls, it can’t stop attacks.”
In Anomali’s information-sharing platform, she said, sharing back was integrated into threat analysts workflow. “Analysts just check a box to share back,” she said.
The main reason for delays in DHS’ distribution of attack indicators was “over-classification of threat data,” said Ann Barron-Dicamillo, a former DHS official who is now vice president for cyber intelligence and incident response at American Express. “In light of the public sector’s caution, private sector firms increasingly turn to private sector cybersecurity companies for timelier and more contextualized information,” she said.
Even issuing clearances to private sector executives was of little use, because the people that have access to classified data can’t share what they’ve learned. “Information classified at that level can’t be actioned on an unclassified network,” she said.
“Moreover, she added, the clearance issue was complicated by the fact that, to take part in DHS information sharing programs, companies “get forced through [a DHS] facilities clearance process” rather than the alternative Pentagon process for clearing individuals. “We don’t have any interest in developing facilities infrastructure” to receive classified indicators” and the process limits the number of cleared individuals a company can bring on, she said.
Knake said one solution was to incentivize sharing through the use of insurance discounts.
Subcommittee Ranking Member, Rep. Jim Langevin, D-R.I., called the level of private sector participation in the AIS program “frankly unacceptable.” In part, he blamed the department. The attack indicators it shared, he said, were “often late and lack important context.”
“I look forward to hearing insights and recommendations … that we can take back to DHS to help them improve,” noted Chairman Rep. John Ratcliffe, R-Texas.