DHS: 'We need to up our game' on information sharing

Department of Homeland Security officials told a congressional panel Feb. 25 that DHS is developing plans to persuade private industry to share cyber-threat information with the federal government, part of a broad push by the Obama administration to foster cooperation between corporations and federal agencies on confronting malicious cyber threats.

DHS cybersecurity officials told a House Homeland Security Committee hearing they would use the National Cybersecurity and Communications Integration Center as the central portal to interface with private-sector entities. In turn, those corporations, banks and private critical infrastructure providers could form their own groups, called Information Sharing and Analysis Organizations, to voluntarily share threat information without the threat of liability.

The plan garnered bipartisan support, with Committee Chairman Michael McCaul (R-Texas), saying he was "pleased the president came forward" with it.

President Barack Obama on Feb. 13 signed an executive order to encourage the sharing of cyber-threat information between DHS and the private sector.

Suzanne Spaulding, undersecretary of the National Protection and Programs Directorate, and Phyllis Schneck, NPPD deputy undersecretary for cybersecurity and communications, said the organizational structure would set the stage for real-time centralized information sharing through the NCCIC.

"We need to up our game," said Spaulding. Cyberattackers, she said, have automated their capabilities, while those responsible for responding to attacks haven't.

The president's plan aims to offer "targeted liability protection" to private-sector entities. Liability protection has been a sticking point in past cybersecurity efforts.

"Sadly, our laws are not keeping up with the threat," McCaul said in his opening statement. "For instance, fearing legal liability, many private companies choose to not disclose the threats they see on their own networks, leaving others vulnerable to the same intrusions."

Rep. Curt Clawson (R-Fla.) asked Spaulding and Schneck if DHS had considered how companies with international ownership and shareholders would view sharing information with the U.S. government. "It feels like a tough sell even with the liability insurance," he said.

Spaulding and Schneck said they understood those concerns and were working to standardize the kinds of information that would be shared.

They said DHS is developing, in collaboration with the private sector, data specifications -- known as STIX and TAXII -- that standardize the representation and exchange of information, including actionable cyber-threat indicators. Structured Threat Information eXpression, according to their testimony, is a standardized format for the representation and exchange of information, including threat indicators. Trusted Automated eXchange of Indicator Information, they said, is a standardized protocol for discovering and exchanging cyber threat information in STIX.

They added that collaboration between DHS and the private sector is producing a growing base of commercial offerings supporting STIX and sharing indicators via TAXII, including platforms, network protection appliances and endpoint security tools.