In the minds of many, information security and information sharing would seem to be polar opposites.
But in the White House’s new national strategy on information sharing released last month, the two concepts are paired together.
And with good reason, according to Michael Daniel, the White House cybersecurity coordinator. Security and information sharing are “mutually reinforcing,” he explained in an interview on the Federal Drive with Tom Temin and Emily Kopp
Information sharing is a” key ingredient” in a comprehensive cybersecurity approach, Daniel said. Just take a look at some of the most pressing cyber challenges faced by the government: Potential threats against critical infrastructure, cyber-enabled economic espionage against U.S. Intellectual property and threats to global Internet freedom.
“It’s pretty easy to see how information sharing of threat indicators, intrusion methodologies, data about what’s been stolen, supporting the free exchange of ideas — all those things would be really important in our efforts to combat those risks,” he said.
Strategy emphasizes collaboration
The strategy is heavy on the concept of collaboration.
The document also promotes the idea of standardization across government, but with “built-in flexibility for evolving mission requirements.”
The strategy also highlights streamlining the development of information-sharing agreements and using shared services, including shared-computing models, such as cloud computing.
Daniel said agencies have made progress in becoming more collaborative, particularly recently.
“Really, if you take a look at this strategy, it’s really codifying the best practices that have evolved over the last decade and that have really begun to accelerate over the last couple of years,” he said. “And it’s really designed to leverage all of those capabilities that we’ve built and apply them … against the sets of different threats that we face in today’s environment.
But the new strategy doesn’t have a lot to say about the specific technologies agencies use to share information and collaborate. And that’s also by design.
“It’s more about the business processes and the underlying culture that goes into it,” Daniel said. “And not so much the specific technology that we’re concerned about.”
In part that’s because of the rapidly evolving nature of technology which complicates the process of codifying a strategy around it.
“What we want is to leverage the best practices both within government and from the private sector,” he said. “It’s more about expanding and spreading the best practices that are already there than inventing a lot of these things from whole cloth.”
The strategy contains three guiding principles:
Treating information as a national asset. “This really means that it’s (not only) something that should be safeguarded and shared as appropriate with other agencies, departments and partners,” Daniel said. “But it’s something that really has a lot of value and can be valuable when it’s actually shared and used appropriately.”
Shared risk management. “Responsible information sharing means that you have to share that risk among a whole bunch of different departments and agencies,” he said. “That requires accountability, visibility and automation of information safeguards.”
Information should inform decision-making. “Information sharing is not really an end (in and) of itself,” Daniel said. “It’s really about enabling better decision making.” The success of information sharing should be measured by how much it contributed to decision making, he said..
While cyber legislation stalled in Congress last term, Daniel said the administration will continue pushing for a comprehensive package of cybersecurity reforms.
And some part of that will have to include information sharing, Daniel said, “because that’s just a critical component of any of our cybersecurity efforts.”
The administration won’t simply wait on Congress, though, Daniel said. The White House has reportedly drafted a executive order detailing how it could use executive authority to improve the government’s cyber stance.
“We are also going to look at what we can do on our own,” Daniel said, such as sharing threat indicators with the private sector. “This is really something that we’ll continue to press forward on with this Congress, and we’ll just have to see how it evolves,” he added. “But you can be sure that we’ll be pressing for it.”