DHS Pushes Cyberthreat Sharing, but Companies Unsure of Value

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

U.S. companies are struggling to find value in sharing cyberthreat information with the government—even as the Department of Homeland Security continues to promote its program, cybersecurity pros and former DHS officials told Bloomberg BNA.

Without stronger incentives, such as better liability protection for companies that share cyberthreat data, the DHS program is unlikely to significantly expand. Companies aren’t going to “give vulnerabilities away” without getting anything in return, Paul Rosenzweig, former deputy assistant secretary for policy at DHS and visiting fellow at The Heritage Foundation, told Bloomberg BNA.

The cyberthreat sharing program, enacted as part of the 2015 Cybersecurity Information Sharing Act (CISA) and operated out of the department’s U.S. Computer Emergency Readiness Team (US-CERT) division, aims to bridge the information gap between the federal government and the private sector.

DHS officials have recently advocated for more companies to join the program, specifically saying that too many companies take cyberthreat intelligence data from the government without sharing their own threat indicators.

DHS Acting Secretary Elaine Duke said at an Oct. 4 U.S. Chamber of Commerce cybersecurity event that companies need to view cyberthreat sharing as “herd immunity,” where sharing cyberthreat information not only helps one company but the whole industry.

CISA provides some liability immunity to organizations that share threat information with the government through proper protocols. However, beyond the limited liability protections, companies need to see a value, such as more actionable threat intelligence data and increased incentives, before joining the program, cybersecurity pros said.

Jamil N. Jaffer, director of the National Security Law & Privacy Program at the Antonin Scalia Law School at George Mason University, told Bloomberg BNA that the government must “pivot from the policy discussions to effectuating these goals.”

Companies would likely be more willing to share their cyberthreat indicators directly with the government “if they are assured they aren’t going to be regulated” based on what they share, Jaffer, who served as senior counsel to the House Intelligence Committee and associate counsel handing intelligence matters for former President George W. Bush, said.

Because the government—and especially the DHS—has “historically discussed their interest in regulating” cybersecurity, some companies hesitate to share sensitive cyberthreat information, he said.

Private Sector Threat Data Sharing

Some 129 government agencies and private sector companies have used the DHS’ cyberthreat information sharing system, DHS Assistant Secretary for the Office of Cybersecurity and Communications Jeanette Manfra told a House committee Oct. 3. Some private sector data-sharing groups also send threat data to DHS, she said.

More companies use private sector information sharing groups to share threat data directly with their industry partners. Private-to-private sharing “is a fair trade” because if a company doesn’t contribute, other members will kick them out of the group, Rosenzweig, founder of Red Branch Consulting, said. By contrast, the only thing the government can do is offer companies incentives such as subsidies or contract procurement preferences to take part, he said.

Reputational Boost

Companies thinking about joining the DHS’ cyberthreat sharing program may gain a reputational boost by being ahead of the curve in cybersecurity protections, the cybersecurity pros said. But they may need some convincing to buy into that proposition.

To that end, the DHS should provide case studies where successes are highlighted and demonstrate how actionable threat data was used to prevent a cybersecurity incident, Megan Stifel, former director for international cyber policy in the National Security Council at the White House and a former attorney in the National Security Division at the Department of Justice, told Bloomberg BNA.

If the government can identify “success stories and talk about the type of information shared and safeguards around privacy,” more companies may be willing to join, Stifel, founder of Silicon Harbor Consultants and nonresident senior fellow with the Cyber Statecraft Initiative at the Brent Scowcroft Center on International Security, said.

DHS could also potentially promote the program by creating a private-public certification designation similar to what’s offered by the U.S. Green Building Council’s Leadership in Energy and Environmental Design (LEED) certification for environmentally responsible, resource-efficient structures.

If companies could get something akin to that designation for cybersecurity, in return for sharing threat data, they could get the word out to consumers that they offer higher levels of cybersecurity protection, Stifel and Rosenzweig said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security