The ability to share information about threats in cyberspace requires trust. But the days of relying on personal acquaintance with the person at the other end of the line to share information are long gone.
“When we’re talking about the nature of the threats, the speed with which they move, their global reach, it’s just not something you’re going to solve with someone you’ve formed a face-to-face relationship with,” said Rich Struse, the Department of Homeland Security’s Chief Advanced Technology Officer. It’s not even trust-based organization-to-organization sharing now. “We’re now poised on the edge of a world where we have machine-to-machine sharing.”
And cybersecurity in today’s world requires all those levels of trusted relationship, he said.
“We need the person-to-person sharing [so] I can reach out to someone I can trust to say, ‘Hey, here’s my theory’ [of what’s happening], but it needs to ride on a foundation of actionable cyber threat intelligence that’s flowing through this ecosystem at a high rate of speed,” Struse said.
Struse was one of the panelists at AFCEA’s Homeland Security conference held in March. The issue of sharing cyber threat information revealed the ongoing tension between the federal government and the private sector.
Bob Dix, vice president of government affairs and critical infrastructure protection, Juniper Networks, pointed to the President’s Executive Order on private sector cyberthreat information sharing issued in February, and legislative actions taken and being considered by Congress, as an example of that tension.
“The creation of the executive order, the creation of the legislative initiatives, the private sector was left outside of that process,” Dix said. “All these things we talk about today, the [Information Sharing Analysis Center] community delivers results every single day … I find it ironic that this executive order’s title” talks about improving the private sector.
The media emphasizes the wrong kind of liability concerns faced by the private sector, said Charlie Benway, executive director of the Advanced Cyber Security Center. Companies are not looking for legal protections against the accidental release of private information.
“If I share a threat with you, you take action and there’s some [consequence], am I liable?” Benway explained.
Nicole Dean, director of cyber business development, Raytheon, observed that “lawyers … tend to inhibit a lot of the cyber information sharing … We have to maintain agreement after agreement after agreement with multiple information sharing entities.”
Dean suggested that some aspects of threat information sharing could be automated in the way that antivirus software offers protection.
“You trust your antivirus software,” she said. “If you know some IP goes to some bad nation-state actor,” that could be incorporated into that cyber protection.
Benway said the biggest challenge the members of his organization face is dealing with the volume of information regarding cyber threats.
Cyber security tools and infrastructure “need to be architected in a way that we can operationalize the threat intelligence that’s being shared,” he said. “There’s so much threat intelligence coming in from so many sources … The key as we move forward is operationalizing that intelligence as it’s received.”