A step toward better sharing of cyberthreat information?

By: William Jackson
February 5, 2016

William Jackson
William Jackson

The Homeland Security Department announced this week that it plans to soon begin automated sharing of cyberthreat information with the private sector. The department would act as a broker, gathering and normalizing information from participants for redistribution. Government threat intelligence will not be included.

The program is expected to begin on a limited scale later this month, Andy Ozment, assistant secretary of the Office of Cybersecurity and Communications, told the Wall Street Journal at an event this week. He said it will not be an incident reporting system; it will provide only threat indicators. Information that could identify the parties providing information will be removed.

The effort takes advantage of the passage last year of the Cybersecurity Information Sharing Act (CISA), which provides liability protection to encourage sharing threat data among companies and with government. But not everyone is ready to jump in. WSJ reported that 42 percent of CIOs attending its conference said they still were unlikely to cooperate with the government in the wake of an cyber incident.

Some in the industry think DHS can be a catalyst for improved cybersecurity collaboration, however.

“If it is done correctly, there is a lot of room for contributions coming from DHS,” said Kobi Freedman, CEO of Comilion, which provides cybersecurity collaboration platforms. Most large corporations already do some information sharing, he said. This program could bring in many smaller organizations and provide a broader range of information. That could provide more valuable context. “Time will tell how significant the information that DHS is going to provide will be.”

To further this effort, DHS has helped to develop technical specifications “to automate and structure operational cybersecurity information sharing techniques.” Specifications include:

  • The Trusted Automated eXchange of Indicator Information (TAXII) defines a set of services and messages for sharing threat information across organizational boundaries.
  • The Structured Threat Information eXpression (STIX), a standardized language for representing threat information.
  • The Cyber Observable eXpression (CybOX), a standardized schema for the specification, capture, characterization, and communication of events or stateful properties observable in all system and network operations.

The remaining hurdles for more comprehensive sharing of threat information are not primarily technical, Freedman said.

As always, there still is the issue of trust. Companies and other organizations that contribute information will have to be confident that it will be properly used by whoever has access to it, that it will be adequately secured, and that they will be receiving information in return. Then there is usability. Despite ongoing calls for more information sharing, many security operations already are overwhelmed with threat intelligence, much of it redundant and of low quality. DHS will have to prove its ability to provide useful, high-quality information. Finally, there are compliance issues. Despite the protection offered by CISA, information being shared also could fall under other legislative and regulatory requirements covering privacy and confidentiality, so questions remain about what can and should be shared.

These concerns will not be resolved overnight. But despite the government’s poor track record in inspiring trust in the private sector, DHS’s role as an honest broker could help improve the nation’s cybersecurity posture, Freedman said. “It is a necessary step to enable building trust between parties that don’t know each other.”