Security pros: Cyberthreat info-sharing won’t be as effective as Congress thinks
Though there's renewed momentum in Congress to finally pass a cybersecurity information-sharing bill, technology industry professionals say the proposals will primarily help government and won’t aid the private sector.
Members of Congress have renewed interest in passing a cybersecurity bill after hackers breached the Office of Personnel Management and compromised the personal information of millions of federal employees.
While Senate Republican leaders' plan to attach a cybersecurity measure to a must-pass national defense policy bill was blocked this week, lawmakers from both parties made strong statements supporting passage of a standalone bill in the near future. The cornerstone of that plan – and similar bills passed by the House of Representatives in April – was to streamline the exchange of threat information between the government and the private sector as a way to safeguard the nation's computer networks. It has bipartisan support on Capitol Hill and in the White House.
As Majority Leader Mitch McConnell (R) said this week, swapping intelligence about threats "will increase the ability of the public and private sector to share information and make us safer."
As much as lawmakers want to strengthen the country's collective digital defenses, however, many technology industry executives and experts tell Passcode they doubt the proposed information exchange will have much of an impact when it actually comes to improving network security. They say the debate in Washington is too focused on clearing the way for companies to provide intelligence about the threats they see – and not nearly enough focus on ensuring companies quickly receive quality data about threats the government detects.
"All the efforts we’ve heard so far are kind of greasing the skids to make it easier for the private sector to give information to the government and not the other way around," says Rick Howard, chief security officer of Palo Alto Networks. "That’s a problem."
Yahoo’s chief information security official Alex Stamos says his company often reports crimes to the government, "but we very rarely get information back that then helps us find other attackers."
Information-sharing may be a relatively "easy thing to get past Congress ... [but] the best thing the government could do is figure out a way to rapidly declassify the information, so instead of getting it years after a possible breach, we get it within minutes of government finding out," Mr. Stamos said in a podcast discussion with Passcode and New America that aired in April as the security proposals were moving on Capitol Hill.
Key flash points in the cybersecurity debate have involved finding ways to ensure companies will have liability protection from such things as exposing customer data to government agencies. Companies and privacy advocates also want to make sure there are enough safeguards to protect customers' privacy if information passes from the Department of Homeland Security to other parts of the government such as the National Security Agency.
Many industry officials, however, say these efforts – while important and a good first step – are not really major incentives for them to share information with the government. Instead, they are meant to remove the hurdles and obstacles to sharing that are currently in the way.
In fact, even without this kind of federal law, companies say they are already sharing technical information with each other to prevent threats and are encouraged by the results.
Mr. Howard’s company cofounded the Cyber Threat Alliance with Symantec, Intel Security and others, forming a group of security practitioners who all agree to share information to collectively improve their defenses. “It puts everybody’s skin in the game,” Howard says.
It will be difficult for the government to scale up this type of model and become an equal partner in sharing, security pros say.
Part of the problem is that the government tends to label all the information it gathers as secret, says Mark Weatherford, principal at security advisory firm The Chertoff Group. "Once things get classified, it becomes an order of magnitude harder to share it,” he says. By design the government is “very good at receiving information, but not so good about sharing information back.”
Mr. Weatherford previously served as the top cybersecurity official at the Department of Homeland Security – the agency that, under current proposals, would become the central repository for the threat information. “These formal programs the government is talking about setting up ... . I just don’t think they can be as successful as the government wants them to be.”
He recalls setting up classified briefings for private sector leaders when he was in government. Company officials often needed background checks to receive the threat information. Many times, at the end of the briefing, Weatherford says, "They all look at each other going, 'Is that all there is? Seriously, this is classified?' "
Without a true incentive for companies – other than that “it’s the right thing to do,” Weatherford says – there’s “real risk" they won’t share as much information as the government wants.
Small and mid-size companies may stand to benefit the most from the information sharing proposals, since they may not be able to afford the security and threat intelligence resources as some of the bigger companies. "It would be of more use to them than having nothing at all, which is what many of them have today," Weatherford says.
Even so, these companies should develop their own independent information-sharing networks and security plans, he says. "Anybody relying solely on the government for information is in big trouble. There is no cavalry. There is no government white horse coming in to save the day.”
Not everyone is so skeptical of the information-sharing proposals, however. Kris Lovejoy, chief information security officer for IBM, says the initiative will not "miraculously" change the cybersecurity landscape – but it will be a good first step. "You’re building an infrastructure and a set of processes and partnerships that enable the data to be produced and to flow," she says.
And for its part, the government says it can’t provide better information to the private sector without receiving more information from companies. After all, the government does not own or manage most of the networks in this country – including its critical infrastructure such as financial services or energy systems.
So intelligence officials say they no other way of knowing what information is most useful to private companies without hearing a lot more from them directly.
"You need whoever owns it to be able to tell you, 'I’m vulnerable to that. That really hurt. That’s not a big deal,' " says Jim Richberg, national intelligence manager for cyber at the Office of the Director of National Intelligence. "If we have a better sense of what we’re looking for, we can put more actionable intelligence out to them, enabling better cybersecurity on their part, allow them to get ahead of threats."
At an event moderated by Passcode at the RSA conference in San Francisco in April, White House Cybersecurity Coordinator Michael Daniel assured an audience of information security professionals the government is already getting better at the declassification effort.
“When we produce products in the intelligence community, for example, that are related to cyberthreat indicators, they automatically now come with the different classification levels and an unclassified tear line by default," Mr. Daniel said, "So that now you don’t have to go back and ask, 'What part of this is unclassified that we can share?' It’s right there. So I think the government will get better over time."
Still, Mr. Richberg acknowledges that when it comes to sharing government information with companies, "it’s not a quid pro quo."
"If we find a silver bullet, or a smoking gun, or something before it’s used," Richberg says, "we’ve already got ways – and we’ve used them – to make sure it gets to the target or the victim." The problem, he says, is that the government usually finds out about malicious activity after the fact.
So more information funneled into the government from companies will help US personnel tackle increasingly sophisticated threats, says Bill Evanina, who is the country’s national counterintelligence executive. "Whether it’s Russia, China, Iran … in order for us to put a clear picture for what a particular country is doing, we need intelligence."