Threat indicator data needs a wide net, experts say

Information sharing 

Seeing and sharing the telltale tracks of cyber attackers across networks isn't just technical -- it depends on a wide array of allies that talk among themselves, according to government and industry cyber experts.

The majority of cyber attackers mostly still rely on unpatched software and phishing to get into networks, said Rick Driggers, deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security's National Protection and Programs Directorate. That's because those methods still work most of the time, he said.

Driggers and other cyber experts said industry and government have to continue to push to change that cybersecurity equation at a May 31 CyberScoop conference.

Although Driggers said his agency has shared almost two million threat indicators at machine speed with commercial partners since 2016, he said DHS is also looking to connect on a more personal scale with industry to encourage data sharing.

"It's about partnerships and information sharing. We work every day to build our partnerships through formal large robust government partnerships … so we can open up information sharing channels," he said. "But we also want to do this informally. We want our analysts to have working relationships and be able to collaborate with private sector analysts," in sharing threat data.

DHS, he said, has been listening to industry concerning its automated threat indicator data and honing it to make it more relevant and effective. "We're making changes," he said.

In an interview with FCW, Driggers said the agency is working to make the indicators "more definitive" with more context about how each was developed.  Those changes are direct results of feedback from industry, he said.

Ron Ross, National Institute of Standards and Technology fellow, along with other cybersecurity experts at the event said larger context is vital to blunting growing cyber threats from nation-states and criminals. A wide network of allies across the federal government and private industry, they said, can eventually make successful attacks more costly for cyber attackers, without defenders having to spend more time and money.

The experts advised federal agencies to look not only to commercial and U.S. federal partners, but also to like-minded organizations.

House of Representatives Chief Information Security Officer Randy Vickers said his employer has been working with information security organizations in other countries. The House has been sharing cyber threat data with information security offices in the parliaments in the other Five Eyes nations -- Australia, Canada, New Zealand and the United Kingdom.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Comment
    customer experience (garagestock/

    Leveraging the TMF to improve customer experience

    Focusing on customer experience as part of the Technology Modernization Fund investment strategy will enable agencies to improve service and build trust in government.

  • FCW Perspectives
    zero trust network

    Why zero trust is having a moment

    Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security.

Stay Connected