Avoiding Delays in Sharing Threat DataImproving Communication Between Government, Private Sector
The buzzwords on matters of cybersecurity in the nation's capital this year are "information sharing."
See Also: What is next-generation AML?
The House passed the Cyber Intelligence Sharing and Protection Act earlier this spring, and there's chatter that the Senate Intelligence Committee will draft its own version of that bill [see House Handily Passes CISPA]. President Obama, in an executive order issued in February, called for the government and business to share cyberthreat information [see Obama Issues Cybersecurity Executive Order].
For cyberthreat information sharing to be effective, it must be timely. And, unfortunately, that's not always the case.
Information sharing between the government and industry to identify cyberthreats has been going on for years. New legislation, such as CISPA, is intended to promote more information sharing by providing liability protections to businesses that share information as well as protect citizens' privacy and civil liberties.
But for cyberthreat information sharing to be effective, it must be timely. And, unfortunately, that's not always the case, according to Charles Edwards, Department of Homeland Security deputy inspector general.
The DHS inspector general's office interviewed a number of private-sector partners of the department's National Cybersecurity and Communications Integration Center, known as NCCIC (pronounced N-kick), an around-the-clock information sharing, analysis and incident response organization. The partners - owners and operators of critical infrastructure that use NCCIC's networks and portals to retrieve advisories, vulnerability and best practices partners - told the IG that gaining access to information isn't always simple.
At a hearing held this past week by the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, Edwards outlined some challenges DHS faces in sharing cyberthreat information. Among them: DHS does not have a consolidated summary overview page on its network that highlights new information and activities to ensure cybersecurity information is effectively shared. That doesn't sound so threatening, but when it comes to sharing cyberthreat information, time really matters. Edwards testified that critical infrastructure operators had to search each site individually for pertinent and updated information, adding: "These searches can be time-consuming for the stakeholders."
Edwards also said information for each of the 55 communities of interest on NCCIC's Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, portal is arranged differently, making it more cumbersome for the users to retrieve useful information. Some Homeland Security information network users told the IG that the various communities of interest contain duplicate information.
ICS-CERT officials acknowledged to the IG that existing communities of interest could confuse owners/operators. To eliminate duplicate information from the communities of interest, Edwards said, ICS-CERT created a subcommittee to address stakeholder concerns regarding the communities of interest.
It's not just easy access to information that concerns stakeholders. Edwards said DHS does not communicate in a timely way the results of its remote technical and onsite assessments of the IT security of critical infrastructure operators to stakeholders. "The stakeholders are concerned that a great deal of time might elapse until stakeholders were made aware of the same or similar incident that could affect their systems," he said.
Edwards said having advanced notification would help increase dialogue among government agencies, private-sector infrastructure owners and ICS-CERT in developing solutions and mitigating strategies as well as determining whether an incident is isolated or systemic.
The barriers to cyberthreat information sharing Edwards outlined in his testimony aren't very high to surmount. Still, DHS must take steps to fix them because simplifying processes to share information will help in the battle against cyber-attacks. Time is of the essence.