WASHINGTON– President Barack Obama and lawmakers have announced plans to increase information sharing between the government and the private sector following data breaches at major companies. But companies are hesitant to join these initiatives because of liability and privacy concerns – and sharing information could put them at a competitive disadvantage.
Experts agree information sharing is essential in preventing and responding to cyber attacks, but the government and private sector bring different perspectives and strategies to mitigating the threats.
Companies need to take the approach that there is “strength in numbers,” said Greg Garcia, executive director of the Financial Services Sector Coordinating Council.
“To the extent that we can have what amounts to a neighborhood watch at a national scale, then were going to be better aware of the adversaries and what they’re up to and what they’re trying to do,” Garcia said.
One area where progress has been made is in the sharing of cybersecurity threat indicators, which identify the source of cyber attacks, said Mary Ellen Callahan, former chief privacy officer at the Department of Homeland Security. These indicators can include bad IP addresses, malware that’s embedded in emails or specific coding in software, she said.
DHS and the Mitre Corporation have developed programming languages to improve communication about cyber threat information between the government and the private sector. Structured Threat Information Expression and Trusted Automated Exchange of Indicator Information, known as STIX and TAXII respectively, are used in tandem to quickly share the information.
“It’s one thing to have these executive orders and things, but it’s another to have the technical enablers to make it easy for these companies to do it,” said John Wunder, lead cybersecurity engineer at Mitre. “You want to make it easy to share threat information in a way that you share exactly what you want.”
Yet, these programs haven’t fully developed and more participation is needed to make them effective, said Judith Germano, a senior fellow at New York University School of Law’s Center on Law and Security.
“I hear from companies that they are often less concerned about where the threat is coming from, but what is the threat and what can they do to stop it,” she said. “That’s the valuable information. Some of that is being shared and is very helpful, but it needs to be expanded.”
Last month, Obama announced an executive order promoting cybersecurity information sharing. The order encouraged the development of information sharing and analysis organizations to spearhead collaboration between the private sector and government. He tasked DHS with creating create a nonprofit organization to develop a set of standards for ISAOs.
Despite these efforts, robust information sharing is still lacking.
“Everyone wants information. Nobody wants to give information,” said Mark Seward, vice president of marketing at Exabeam, a big data security analytics company.
Companies fear sharing information with the government could reveal corporate secrets or consumers’ private information, said Martin Libicki, a senior management scientist at the RAND Corporation. He added sharing information with the government could also pose legal risks if the information shows companies did not follow federal regulations.
Germano, who also runs a law firm focused on cybersecurity issues, says cybersecurity collaboration comes down to a matter of trust. The private sector, she said, is weary of the government.
“On one hand [the government is] reaching out as a friend and collaborator to work with companies,” she said. “On the other hand, the same government has an enforcement arm outstretched with the FTC, the SEC that if you do not comply, there can be repercussions, possible lawsuits and other regulatory action taken against you.”
Therefore, only information that is directly related to a threat should be shared and stored, said Callahan, now a partner at Jenner & Block. Further, she said when companies share a large amount of information at once it slows down the process of assessing the threat and they often share more information than is necessary.
The U.S. also lacks “an intelligent and forceful deterrence strategy” for cyber attacks, said Matthew Eggers, senior director of the U.S. Chamber of Commerce’s national security and emergency preparedness department, at a Congressional hearing earlier this month. He also said the government needs to provide more assistance to companies who have suffered from hacks.
“U.S. policymakers need to focus on pushing back against illicit actors and not on blaming the victims of cybersecurity incidents,” Eggers said.
To address some of these concerns, Sen. Tom Carper, D-Del., introduced in February the Cyber Threat Sharing Act of 2015, which looks to provide liability protections for companies when they share cyber information with the government.
The bill would prohibit the government from using shared cyber threat data as evidence in a regulatory action against the company that shared the information. It also strengthens privacy protections and limits how shared data could be used. The bill has been referred to the Committee on Homeland Security and Governmental Affairs.
In February, Obama also called on the Director of National Intelligence to create the Cyber Threat Intelligence Integration Center, a national intelligence center aimed at “connecting the dots” on cyber threats. The center will “collect intelligence, manage incident response efforts, direct investigations” among other responsibilities.
However, experts remain skeptical about the center.
“What concerns me about that is if you read the president’s memoranda on [the Cyber Threat Intelligence Integration Center], it says that it’s consistent with privacy and civil liberties protections as relevant to that agency,” said Callahan, the Jenner & Block lawyer. “Well, the intelligence community, as you know, has reduced private protections.”
The center’s framework will be similar to that of the National Counterterrorism Center, which is a concern for Libicki, of the RAND Corporation.
“The last cyber attack had elements of terrorism in it. Does that mean we should look at this entire problem purely through the lens of counterterrorism?” Libicki said. “Why are you duplicating a methodological framework that culminates in a set of actions, like predator drones, which are totally inappropriate for cyber?”
Kathleen Butler, a spokesperson for the Office of the Director of National Intelligence, did not have any additional comment beyond the president’s announcement of the center as she said initial planning is still underway.
While experts say it will take time for the private sector to fully engage in the information sharing initiatives, the government’s efforts have been mostly positive.
“This is about enabling people to share what they know and get access to what others know such that protection can be more pervasive,” said Bobbie Stempfley, Mitre’s director of cybersecurity implementation. “That’s really a powerful concept.”