Is DHS cyber info-sharing ready for prime time?
Recent cybersecurity law is supposed to provide a voluntary framework for easy information sharing between government and private companies, but some DHS programs are experiencing early real-world hitches.
The Cybersecurity Act of 2015, passed by Congress in December as part of the 2016 omnibus spending package, establishes a voluntary framework for the government and private sector to exchange information on cyber threats without facing legal liability.
To ease private sector access to information on the government side, DHS created a web portal for information sharing as well as initiatives such as the Enhanced Cybersecurity Services and the Automated Indicator Sharing programs.
Though many companies lag in terms of cyber defense, these DHS programs still have room for improvement before the private sector completely buys in.
According to executive director of the Chamber of Commerce's cybersecurity policy Michael Eggers, small businesses make up "the bulk of" CISA memberships.
However, some of those businesses are simply unaware of CISA, and others are confused by the "overwhelming number of initiatives," said Ola Sage, founder and CEO of the IT solutions company e-Management. "If at some point this information could be built into tools we already use, so that we don't have to go all to different places to get it, that would be a very welcome development."
Additionally, the businesses that do understand and want to be a part of these DHS programs may face bureaucratic red tape in meeting access requirements, and the cost barriers to access classified information offered by programs such as ECS are simply too expensive, said Sage.
"We do receive regular updates on threat information through the portal, which is very accessible," she continued. "However, much of the unclassified information is already widely available on the Internet, or is dated."
Some other hitches include technical problems with the DHS programs.
"There is no actual test system to use with DHS, so in their rush to produce the platform and make it live, they didn't have an extra system… where you can go test it out," said Soltra CEO Mark Clancy. "On the operational side, I think there are just some mechanical issues that need to get worked through in signing up."
As a start to help clarify the cultural hurdles, DHS released the CISA final guidance documents on June 15, and is providing and education and outreach campaign.
"One of the things we need to think about is continuing the education effort," said Eggers, who noted that outreach efforts will be traveling to Texas and Wisconsin in the next month. "We want to orient small businesses and companies of all sizes around a cybersecurity framework… I think of [CISA] as a written tool."
Despite early challenges, Sage emphasized that companies remain committed to collaborating with DHS on CISA, and Clancy said that real-world implementation requires some ironing out.
"It's too soon to make a definitive judgment," he said. "The law is only six months old, the program is only three months old. If we have this problem again in 12 months, then we're in a very different place.