One Year Out, Companies Seek Trust in U.S. Cyberthreat Sharing Program

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

It’s too soon to tell if the one-year-old U.S. government final policies and procedures, aimed at boosting cyberthreat sharing between the U.S. government and the private sector, are working a lot, a little, or a bit of both.

The plan for steering much-needed intelligence about the latest cyberthreats from companies hit by malware and hackers to the feds, was the result of the 2015 Cybersecurity Information Sharing Act (CISA).

Some large companies, such as Alphabet Inc.'s Google and Apple Inc., can handle cyberattacks on their own and can uncover extensive cyberthreat data needed to combat the threat without the help of the government.

But others are left wondering whether or not to turn to the government for help or try to face the mounting cybersecurity pressure on their own. The decision to rely on the public-private sector cyberthreat sharing program may come down to whether companies have sufficient trust in the government’s efforts and the pay-off—whether they in turn can glean enough valuable cybersecurity data from the initiative, former Department of Homeland Security officials told Bloomberg BNA.

Numbers on how many companies have joined the program aren’t publicly available from DHS.

Adam Isles, security risk management principal at the Chertoff Group in Washington and former deputy chief of staff at the DHS, told Bloomberg BNA that the cyberthreat sharing program is “important” because it has “fostered a dialogue” between private and public sectors. One of the larger challenges for the DHS, even if the program runs without a hitch, is to have trusting relationships with chief information security officers at companies and, importantly, in critical infrastructure sectors, he said. These sectors i nclude banking, health-care, emergency services, energy, among others.

As of now, the DHS may be “hamstrung” by the turnover in personnel that can limit the success to some extent, Isles said. Companies may put more trust into the program once the DHS has staffed up and can show they “manage the information shared,” he said.

Public-Private Partnership

The cyberthreat sharing program, operated out of the DHS U.S. Computer Emergency Readiness Team (US-CERT) division, aims to bridge the information gap between the federal government and the private sector. By doing so, the program would give industry and the government greater cybersecurity protections and combine efforts to go after cybercriminals.

To entice companies to join the program, CISA provides some liability immunity to organizations that share threat information with the government through proper protocols. Beyond the limited liability protections, companies also need to see value and trust in the cyberthreat information sharing program, the former DHS officials said.

Amit Yoran, chairman and CEO of Tenable Network Security in Columbia, Md. and former DHS national cybersecurity director, told Bloomberg BNA that companies must see a “value proposition” before joining the DHS program. Companies must weigh whether there is a sufficient trust in the private-public relationship, technical assistance, operational know-how, and liability limitations, he said.

Companies that weigh the value of joining the program need to see that it provides increased cybersecurity insight and actionable data, Yoran said. Joining the DHS program may serve “as a building block” for further private-public relationships in the cybersecurity arena, he said.

A DHS spokesman didn’t immediately respond to Bloomberg BNA’s email requests for comment on CISA and success of the program to date.

Increased Trust

Corporate leaders need confidence in the cyberthreat sharing program to find any real incentive to join, the former DHS officials said.

For the program to succeed in the long run, there must be proper incentives for companies to join, Yoran said. One way would be through a regulatory mandate that companies must comply, he said.

But a better way is to highlight the various incentives the government creates when setting up a cyberthreat sharing program, Yoran said. For example, the government can increase transparency with how the cyberthreat information is being used, more effectively share cyberthreat data, and increase “valuable engagements with the private sector,” he said.

Additionally, Isles said, companies may find increased trust with government information sharing programs if they have previously joined a similar private-sector program. Trust can start with “horizontal sharing,” such as sharing cyberthreat data between General Motors Corp. and Ford Motor Corp. in the automotive industry, he said.

The private-sector programs, often called information sharing and analysis centers, work with the DHS and the Federal Bureau of Investigation officials to combat cybersecurity threats across the industry, Isles said. By joining one of these programs, companies may see themselves as “brothers in arms in a trusted community” and be more willing to share their cyberthreat data with the government, he said.

Congressional Concern?

There have also been concerns from those who work closely with House Homeland Security Chairman Michael McCaul (R-Texas), who helped steer CISA through the House. A Homeland Security Committee aide told Bloomberg BNA that the DHS needs to be more transparent with how successful the program has been and where changes need to be made, if any. The DHS needs to demonstrate to companies that their peers are joining the program and it is worth the corporate investment, the aide said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.