Small businesses are effectively shut out from federal cyberthreat information-sharing efforts involving classified, data and even large companies aren’t convinced it’s worth joining the unclassified kind, they told lawmakers, checking on progress six months after passing legislation.
Only about 30 businesses nationwide are actually receiving the Automated Indicator Sharing, or AIS, service that the Department of Homeland Security has launched, though over 100 have signed up to do so at some point, the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies heard in evidence Wednesday.
The subcommittee received testimony from industry groups and business executives about the implementation of the 2015 Cybersecurity Act that Congress eventually managed to pass as part of an omnibus appropriations bill last December.
A DHS spokesman said AIS, which was only launched in March, was still evolving and would attract more sign ups as more businesses learned how much they could gain from it.
Small business owner Ola Sage, who is chairwoman of the IT Sector Coordinating Council, which represents the industry in information sharing policy discussions, told the committee Wednesday how her company, e-Management, had tried and eventually failed to join DHS’ Enhanced Cybersecurity Service program.
ECS is the flagship DHS information-sharing program that provides to private sector members classified cyberthreat indicators provided by U.S. intelligence agencies — the NSA’s so-called ‘secret sauce.’ ECS predates the 2015 law, underlining the fact that information sharing has been at the center of federal efforts to improve American cybersecurity for more than a decade.
After initially signing a required and legally binding Memorandum of Agreement with DHS, e-Management ‘experienced our first hurdle,’ Sage explained in her opening statement. While her company offices had a security clearance, it was not a high enough level to receive the documents setting out the requirements to join the ECS program.
Sage said she spent ‘weeks trying to locate’ an office, known as a Sensitive Compartmented Information Facility, or SCIF, that she could use for few hours to review the documents.
‘We reached out to various government contractors whom we knew either had a SCIF or access to one, but were turned down time after time,’ she said. When eventually her team were able to review the requirements, they were cost prohibitive, she said.
The company went on to join a different DHS information-sharing program, through the department’s National Cybersecurity and Communications Integration Center, or NCCIC. Eventually, Sage said, the company built its own server equipped to receive threat data in the machine readable, DHS-designed format known as TAXII — Trusted Automated eXchange of Indicator Information. Sage is now considering signing-on for AIS, she said, though her ability to participate is ‘constrained by limited resources.’
But when Sage was asked outright whether the threat and vulnerability information she got from DHS was actually helpful, her response was a long silence followed by a nervous laugh.
‘I would say, probably,’ she said, quickly adding: ‘But there are just so many places to go [to get similar threat data] and there’s an overwhelming rush’ of data once the services are switched on.
Matt Eggers, a policy expert with the U.S. Chamber of Commerce, told the lawmakers during questioning that there were ‘about 30 companies that are directly plugged into the AIS system, with about 100 that have signed up.
‘I expect that that number will grow as folk interpret the guidance’ on the new law issued by DHS and the Department of Justice Wednesday, he said.
After the hearing, DHS spokesman Bob Davis defended AIS, likening it to the ‘see something, say something’ campaign in the offline world, which encourages citizens to report suspicious packages or behaviors.
‘DHS is ‘open for business’ to receive cyberthreat indicators from the public and private sectors at machine speed,’ Davis said. ‘When one participant detects a threat, all participants in AIS will learn about it.’
Davis said, ‘Participants will eventually include federal departments and agencies, private companies, nonprofit organizations, academia, foreign allies, and Information Sharing and Analysis Organizations.’
But Mordecai Rosen, the general manager of the Security Business Unit for IT giant CA Technologies, made it clear in his testimony that reservations about AIS aren’t restricted to small businesses.
‘Our organization is analyzing how it fits into our threat intelligence analytics engine, whether it’s duplicative, whether it adds value, whether we can handle the feed … so that’s us at $4 billion a year, 11,000 people,’ he said, leaving the question of how a much smaller business might seek to deal with those issues.
Mark Clancy, CEO of financial sector information sharing outfit Soltra, outlined some of the technical barriers to participation, even for a group like his. Certification from DHS had to be obtained, and in terms of testing the feed, ‘There is no actual test system,’ Clancy said. ‘In their rush to produce the platform and make it live, [DHS] didn’t have any test system where you could try things out … so you have to be careful.’
Eggers cautioned that it was still early days to asses the new law. ‘I’m optimistic that things will keep moving,’ he said, adding that he expected a group of ‘vanguard companies’ already committed to information sharing to ‘move out swiftly’ on AIS and other initiatives once technical teething issues were smoothed out.
He acknowledged that ‘it’s really tough for a small business,’ but added that ‘over time’ commercial tools would emerge that might allow smaller participants to take part in a more plug-and-play kind of a way.
‘By broadening the depth and increasing the speed of cybersecurity information sharing, the country as a whole will be better able to manage cyber threats,’ said DHS’ Davis.