How to fix information sharing, according to industry

Secret cyber threat data and a clunky clearance process are barriers to bidirectional information sharing, industry representatives told the House Homeland Security Committee's Cybersecurity and Infrastructure subcommittee on Nov. 16.

"Over-classification of entire reports continues to be an issue across the board in the intelligence community in all kinds of different contexts," said Ann Barron-DiCamillo, former head of US-CERT at the Department of Homeland Security and vice president for cyber intelligence and incident response at American Express.

Barron-DiCamillo also explained that American Express, as well as other critical infrastructure partners, is discouraged from directly participating in DHS' cyber information sharing and collaboration or its automated indicator sharing program because of the clearance process.

"You have to go through the DOD private industry clearance process, and when you have a CRADA [cooperative research and development] agreement with DHS you are forced through the facility clearance process versus the DOD clearance process for individuals," which she said inhibits companies from adding additional cleared personnel.

And when it comes to industry access to classified information, part of the solution is being able to scour public data sources to see what's already been compromised as well as government being more judicious about what's labeled classified.

"If it's already out there in the public domain, then why is it still classified?" Patricia Cagliostro, Anomali's federal solutions architect manager, asked during the hearing. "The association to an actor, how we discovered [the threat indicator], may be sensitive but the indicator itself shouldn't be.… One of the big first steps should be aggregating the publicly available information so that we can more effectively and quickly declassify tools."

The second piece, she said, is automating the process rather than having human operators "download files once a day and copy them over."

Thomas Gann, McAfee's chief public policy officer, told FCW after testifying in a separate hearing on cyber threat information sharing and small businesses that the declassification problem could be lessened on the front end.

"Too often the government over classifies cyber threat data, which leads to the challenge of declassifying it when it is useful to the private sector," Gann said. And once it's classified, it's hard to undo it because "each part of the government has its own declassification processes."

Agencies should "be very judicious on the front end" and only classify information in situations where true intelligence capabilities were used, he said.

But there is hope that public-private information sharing will improve.

Robert Knake, a senior fellow for the Council on Foreign Relations who also testified Wednesday, said, "We have made tremendous progress on this issue over the last five years, in particular," pointing to the Cybersecurity Information Sharing Act passed in 2015, which included liability protections, as playing an integral part.

However, to get sharing where it needs to be, the government will have to provide more contextual details of cyber threats to industry.

Barron-DiCamillo said industry would appreciate if the government would let operators "share playbook-type details, that kind of context that's going to be specific to how I would implement these indicators in my environment, which is more than an IP address or URL…. It's just not available in the current information-sharing systems."