Threat info sharing: Easier said than done
- By Derek B. Johnson
Information sharing is easier said than done. The Department of Homeland Security has set up a number of programs, such as Automated Indicator Sharing, designed to build a foundation for just such a partnership. Thus far AIS -- designed to facilitate machine-to-machine information sharing between government and industry -- has largely operated in only one direction, with officials acknowledging earlier this year that only half a dozen non-federal entities are sending threat information back to DHS.
A staffer for one cyber-minded Democratic member of Congress told FCW earlier this year that the lack of traction on two-way information sharing is concerning and could be cause for re-evaluating the structure and effectiveness of programs like AIS in the future.
The Department of Defense recently received a larger role protecting the homeland in the Trump administration's new cyber strategy . Deputy Assistant Secretary of Defense for Cyber Policy Ed Wilson pointed to election security as an example of where the DOD developed "unique arrangements" with DHS to share information and intelligence about particular threats that would then get passed down to officials at the state and local level.
Wilson said DOD is currently leveraging pilot projects and task forces to explore additional opportunities, and the department wants to engage with the defense industrial base in particular joint ventures to protect private-sector companies that make up much of U.S. critical infrastructure.
"We're looking at how can we share information in a more agile sense, how can help with sensors, especially on the smaller companies," Wilson said at a Nov. 13 cybersecurity event hosted by the Foundation for Defense of Democracies. "The larger corporations tend to do well; it's the second- and third-tier suppliers that are at the most risk and where we're seeing the most exfiltration [of data]."
The federal government has come a long way on the issue of information sharing in the past decade. John Carlin, former assistant attorney general for national security at the Department of Justice during the Obama administration, pointed to a dramatic shift in recent years regarding the willingness of federal agencies to share information on cyber threats.
In 2007, Carlin led the FBI's Computer Hacking and Intellectual Property program. Next door, another FBI squad focused on cyber intelligence threats. Despite their proximity, the two teams operated on opposite sides of a locked door and never spoke to each other.
"The whole time I was working those cases, I never knew what was happening on the other side of that door," said Carlin. "In fact, an agent would occasionally switch squads and then just disappear, never to be seen again. We didn't know what happened."
Later on in his career, Carlin went to work for then-FBI Director Robert Mueller and got a first-hand look at what was happening on the intelligence side, with countries like China using state-owned cyber tools to siphon billions of dollars from American companies and research universities.
Carlin said that government failed to apply the core lessons of 9/11 – appreciating the need to share information across the law enforcement-intelligence divide. Agencies also need to open up the spigot to other government partners and the private sector, he said. They must also break through the "classification by default" mindset that many intelligence officials have been trained to follow.
"When I talk to [the] private sector, understandably there's a lot of confusion that they're going to be...punished or [face] civil action if they go tell people about threats," Carlin said. "So the current cost-benefit analysis inside our own C-suites is often, 'Let's not tell someone about a threat.'"