Nearly one year after Congress passed the Cybersecurity Information Sharing Act, both agencies and private sector companies have a long way before they fully jump on board the communal “neighborhood cyber watch” that the Obama administration has pushed.
About 50 agencies, private companies and organizations have joined the Homeland Security Department’s automatic information sharing (AIS) network. About 40 private sector companies are mostly receiving cyber threat indicators from the DHS AIS. One company is both receiving and sharing information with the department.
DHS met the congressional deadline and released guidelines in June for private companies that want to join its network. Those entities haven’t had much time to join and get acquainted with the DHS system yet, Andy Ozment, the department’s assistant secretary for cybersecurity and communications, said.
“We knew from the beginning, and we’ve been consistent throughout, saying that we want to grow deliberately, because we knew that we’re doing something new,” he told reporters after a Sept. 27 speech at the U.S. Chamber of Commerce Cybersecurity Summit in Washington. “It’s not our job to say this is what you, the private sector, want. It’s our job to work with the private sector and get their feedback and adjust our offering to what they want. That’s what we’re doing, and so we’re quite comfortable with where we are right now.”
Ozment said the department is asking the 50 entities for their feedback about their challenges and successes in using the AIS.
“We’re tweaking the system every day to improve it based on this customer feedback,” he said. “That’s one reason that we’re growing deliberately, because I don’t think any of us know yet what exactly is the information that companies are going to find the most useful. We want to grow steadily over time, constantly evolving to meet that customer demand.”
DHS is also taking a deliberate approach because the standards in the DHS network aren’t yet perfect, Ozment said. The AIS must be able to communicate with everyone.
“We’re finding all sorts of challenges where the standards weren’t clear, or where people implemented things differently,” he said. “We’re fixing those, in part, by upgrading our system but also by working on the standard. We expect to see new STIX and TAXII standards, version 2.0, in the next few months, and they will take those standards even further.”
As Ozment acknowledged, many agencies are still developing their own information sharing capabilities.
“We’re going to start getting more indicators through the system from [the agencies] relatively soon, but they’re also still on that evolutionary path,” he said. “I should highlight though, that they give us information — and other companies — give us indicators from the private sector and the governmen;, we’re just not yet getting them fully through this system. That’s where we’re trying to push people to move.”
The National Security Agency, for example, is working to make its data more usable and compatible with the DHS sharing network. It declassified and cleaned up 60 percent of its cyber threat indicator information, and the agency is adding more every week, said Rick Ledgett, deputy director for the National Security Agency.
Federal agency systems make up 20 percent of all networks in the U.S., he said, meaning that partnership and collaboration with the private sector companies who own the remaining 80 percent is particularly important.
“It’s not perfect yet, but if you join us now, you can help us shape what this system will be to make sure that it meets your needs and it’s well designed for the problems that you have,” Ozment said of the AIS.
Collaboration on cybersecurity will take time, 2 agencies say
Agency leaders at DHS, as well as the Commerce and Justice departments echoed the call for industry buy-in. But they also suggested that cultivating that collaborative relationship will take more time — and perhaps a more advanced approach.
“The federal government cannot regulate cyber risks out of existence,” Commerce Secretary Penny Pritzker said. “What we can do is work with you —business leaders, technical experts and cybersecurity professionals — to better manage cyber risks. At Commerce, we believe cybersecurity requires a new, proactive, collaborative approach between government and industry, one not reliant on static requirement but on vigilant continuous cyber risk management.”
Other than the promise to maintain their privacy, CISA provided private sector companies with few formal incentives to join the DHS network, said House Homeland Security Committee Chairman Michael McCaul (R-Texas). He said his committee will conduct “rigorous oversight” to make sure that both companies and agencies are joining the AIS. The DHS network won’t perform well without solid participation, McCaul said.
Yet providing incentives isn’t a concern for DHS.
“There’s plenty of companies out there that just want to do the right thing,” Ozment said. “We don’t have an incentive for them beyond liability protection, but fortunately I don’t think we need an incentive beyond liability protection. We have a lot of companies out there that want to do the right thing, and frankly, want to get the benefits of receiving this information as well.”
But for Ledgett, the Cybersecurity Information Sharing Act is just the beginning.
“[CISA] was a step in the right direction,” he said. “It was a necessary first step. I don’t think it was the final step.”
Whether a major incident occurs in the public or private sector, the goal is to think about cyber response as a whole government approach, Ledgett said.
Pritzker envisioned government’s future cyber incident process to the kind of simple, immediate response a person might get if he or she calls 911. Someone can call one number and get directed to the correct medical, fire or police department.
Ledgett pictured a similar vision for the future.
“It would look like a place where we have automated response mechanisms across the private sector and the public sector, and there’s a shared situational awareness, so that when we see activities come in, we have logic in place that would let network entities take action automatically in response to attacks of various kinds,” he said. “We’re a little ways away from that, though.”