The Obama administration’s plan to create a new Cyber Threat Intelligence Center would mean the government would put its collective knowledge about current cyber threats at any given time into one place. But the Department of Homeland Security sees the CTIC as serving two more purposes: Integrating cyber threat data with more old-fashioned intelligence sources, and declassifying the end-product so it can be shared outside the intelligence community.
In announcing the stand-up of the CTIC earlier this month, White House officials said the new center would be modeled after the National Counterterrorism Center, without replicating its actual functions or that of the National Cybersecurity and Communications Integration Center (NCCIC).
But Suzanne Spaulding, the undersecretary of Homeland Security for the National Protection and Programs directorate, said it’s also important that the new interagency team not examine cyber as an island unto itself. The nascent organization, she said, needs to be able to look beyond the ones and zeros, and combine what the IC knows about malware with what it also knows about the rest of the world, including the state and non-state actors who are using it.
“I’m looking forward to the day when we can sit down with not just the cyber experts in the intelligence community, but also with the regional experts who can tell us why a given actor is doing what they’re doing,” she told a Washington conference hosted by the New America Foundation. “What are the gaps for this actor? What else what they might be looking for? If we see activity around a particular target, what might that mean? Part of what I worry about in our cyber effort is that we’re always looking under the lamp post, because that’s where the light is. So I think there’s tremendous value in bringing all of this together.”
Like its counterterrorism counterpart, the new CTIC would serve as the center of gravity for the information the intelligence community collects about cyber threats so that it can be shared and coordinated throughout the federal government.
But Spaulding said DHS envisions the cyber center as serving an additional purpose: Distilling the day-to-day threat analysis into an unclassified format so that her agency can use it to carry out its mission of helping to protect federal civilian and private sector networks.
“It’s going to be the one place we can go to get cyber intelligence information declassified, and that’s a big part of what we do,” she said. “That’s our whole raison d’etre; our whole mission is to get information out as broadly as we can. CTIC is specifically tasked to do that, and I think it will be hugely valuable.”
Voluntary framework effort coming
A few days after the White House announced the formation of the new cyber threat center, President Barack Obama signed an executive order intended in part to “encourage” the development of new information sharing and analysis organizations (ISAOs) in the private sector.
Decisions to establish those centers would be entirely up to private companies and nonprofit groups, but the administration aims to accelerate their creation — and boost industry’s willingness to contribute threat information to them — by telling DHS to help create a common set of information sharing standards and best practices.
The department most likely will respond to that mandate by establishing a grant process that would create an independent, third-party nonprofit organization that would work with industry to record and model the best outcomes of existing nongovernmental information sharing and analysis centers, Spaulding said.
To create the standards, DHS will follow in the footsteps of the process the National Institute of Standards and Technology used to create a national cybersecurity framework, in which NIST saw its role as mostly a convener in a process in which it hoped industry would do most of the heavy lifting.
“This will be very similar,” Spaulding said. “The idea here is that there are all kinds of private-sector groups that are coming together to share information with each other. We don’t view that as competition: we welcome that, and the most important thing is that the information is shared. We would obviously welcome the ISAOs to share cyber threat indicators with us too — and it doesn’t need to be associated with any particular company. We need the technical information so that we can help protect networks.”
In its role as the initial shepherd of the ISAO process, that would mean that DHS will move slightly beyond the cyber protection roles it’s assumed thus far: Protecting civilian government networks and assisting in the defenses of the 16 critical infrastructure sectors it typically deals with today.
NCCIC to be single portal
Spaulding said the standard-setting effort will involve a much broader swath of industry, and aims to give companies a certain level of comfort that their information would be protected if they decide to join up with an information- sharing organization that grows out of the process. She said DHS could help by encouraging built-in information sharing protections, including for privacy and personally-identifiable information.
In much the same way that NIST had the credibility with industry to lead the creation of the cybersecurity framework, Spaulding said DHS also has built a reputation of trust with certain segments of the private sector, based in part on the fact that it has a track record of helping to build companies’ protection plans for physical infrastructure without disclosing the information they’ve disclosed to potential competitors or other agencies who serve as regulators.
Still, she acknowledged that there are widespread industry concerns about whether it is wise to share information with federal agencies, and consequently, a reluctance to share data.
“There are concerns about liability, and that’s why the administration has proposed that the NCCIC be the single portal for the private sector to share cyber threats, and give liability protection for that information,” she said. “We want to bring that information into a single place so that we can connect the dots, and then get it out in near-real-time to all of our stakeholders with appropriate privacy protections. We’re able to do that in DHS, we think, because we have built that relationship of trust. Companies can give us vulnerability information, and we are not allowed to share that information as the basis of regulatory action, or for criminal or civil litigation, and it’s not subject to Freedom of Information Act.”