Playing nice in the info sharing sandbox

Why you should care if government agencies share cyberthreat info with each other and with businesses that handle your money and keep your lights on.

 

You hear about a scam circulating on Facebook, and you would probably let your digital friends know about it. But experts say that was not always the case with federal agencies and cyberthreats.

Now, that is improving, according to an official at the U.S. Department of Justice, as reported by FCW.

“I think there’s been a lot of information sharing just in the last six months that might not be where people want it to be, but it’s definitely a lot better than where it was a year ago,” said Sean Newell, a deputy chief in the DOJ’s National Security Division, in the article.

Some cybersecurity experts say the state of federal information sharing, in the past, was in bad shape.

“This is great, but it’s hard to fall off the floor,” said Patrick C. Miller with Archer Security Group. “The info sharing between government agencies was so bad that it took a Cybersecurity Executive Order and a Presidential Policy Directive from the president to get them all to play nice in the info sharing sandbox.”

“The resulting NIST (National Institute of Standards and Technology) Cyber Security Framework and other new mechanisms are certainly a step in the right direction,” added Miller.

“Once this gains steam and demonstrates some success, the next challenge will be getting the private sector to share with them,” he said. “There’s a significant trust gap to be filled.”

Sharing with businesses

“There has definitely been a large focus on information sharing over the past few years,” said Robert M. Lee with the SANS Institute. “It is an effective model: the government should inform companies that they are breached if the government sees it and companies should tell the government or sharing groups so that the government and community understands the scope of adversary campaigns.”

It sounds logical. But it hasn’t always worked.

The DOJ Inspector General’s Office released the findings of an audit in July that said private businesses were concerned with the current system.

“We found that when the private sector shares information with the FBI, it is perceived by the private sector as akin to sending information into a black hole because they often do not know what becomes of it,” the audit said.

“Additionally, information the FBI shares with the private sector is often considered by the recipients to be not useful because it is already known, lacks context, or is outdated,” the audit continued.

FCW reported that Newell said, “We are trying to feed that [threat] information back to the victim so it is not a black hole.”

Other challenges

There are other obstacles as well.

“The issue is always going to be on the quality of the data collected and shared,” said Lee. “More information sharing does not mean more security in the community. It is better to share less data of higher value than lots of data of minimal value.”

“This is the balance the government and private sector will constantly have to fight to maintain,” he said.

Relying on the FBI

Some cybersecurity experts say companies cannot wait for federal investigators and government agencies to notify them of an attack.

“The idea that private business are relying on the FBI to tell them when they have been hacked is more than a little scary,” said Patrick Coyle of Chemical Facility Security News.

He suggested that businesses really should have their own way to detect attacks, to limit the data that is stolen.

“What is apparently true though, is that most business that have been hacked, particularly in the commercial sector, have attackers wandering through their systems for quite some time (months, even years) before some outside agency lets them know that consumer information taken from their sites is being sold in the criminal underground,” Coyle said. “This means that the amount of customer data being taken and sold increases every day.”