The Atlantic Council and the Christian Science Monitor held a conference yesterday as part of the Monitor's launch of its Passcode cyber section. The sessions' focus was on "breaking the cyber information-sharing logjam."
Michael Daniel, Special Assistant to the President and White House Cybersecurity Coordinator, opened the discussion. He began with an acknowledgment that information sharing is not a new topic, and that he would concentrate on outlining the Administration's recently proposed initiatives. First, he described the role of the Cyber Threat Intelligence Integration Center (whose acronym "CTIIC" he clarified, will be pronounced "see-tick"). This new organization is designed to facilitate intra-Governmental information sharing. The National Cybersecurity and Communications Integration Center (NCCIC) in the Department of Homeland Security retains its role as principal interface with the private sector.
The current task, as seen in last Friday's summit, is building relationships that will enable effective cyber information sharing. The private sector made some important commitments there, Daniel said. They will form Information Sharing and Analysis Organizations (ISAOs), develop best practices, and use the NIST Framework. The ISAOs will enable many different kinds of organizations to serve as information hubs. The Executive Order calls for creation of a baseline for such organizations, and DHS will facilitate this.
Daniel stressed that ISAOs don't have to share with the NCCIC or any other part of the Government, but the President's order makes it clear that the NCCIC will share with ISAOs. The Executive Order also commits to some form of liability protection for the ISAOs.
The Executive Order streamlines the way in which classified information may be shared with the private sector, effectively by expediting certain forms of clearance. The ISAOs don't need this capability to operate, but many in the private sector have indicated this is something they wanted.
Daniel concluded by arguing that information sharing as such is not an end in itself. It must serve some actionable purpose appropriate to the sector for which it's done. A cyber weather map requires one kind of sharing. A public health service for cyber requires another. And getting ahead of the threat requires yet another sort of sharing.
Daniel's presentation was followed by a panel discussion on the Executive Order's implications for information sharing. The discussion was led by Jason Healey, Director, Cyber Statecraft Initiative, at the Brent Scowcroft Center on International Security, Atlantic Council. Panelists included Marcus Sachs (Vice President, National Security Policy, Verizon), Jeff Schmidt (founder and CEO, JAS Global Advisers), and Ari Schwartz (White House Senior Director for Cybersecurity).
Schwartz began by asserting that the presumption has now shifted in favor of sharing, and the new Executive Order facilitates sharing in four ways. First, it makes it easier to clear personnel at critical infrastructure companies. Second, it encourages private-to-private sharing outside the Government. Third, it facilitates private-to-government information sharing. And, fourth, through the CTIIC, it promotes intra-governmental information exchange. This last is particularly important because, of course, no agency has the full picture. The Office of the Director of National Intelligence (ODNI) was created to provide just such perspective, and ODNI seems the logical place to lodge an office designed to foster cyber intelligence sharing.
We need, Schwartz argued, to separate the technical issues of sharing from those that require legislation. The ISAOs are interesting and important because they focus on private-to-private sharing. Hubs need not be government hubs, or even organizations with any government participation at all.
Verizon's Sachs noted that Information Sharing and Analysis Centers (ISACs) date back some time, and are designed to be sector-specific. But much of the US economy lies outside the sectors as traditionally conceived and organized. Situational awareness is fine, but information sharing among those who can take action is powerful. You can be surrounded by information unrelated to action. What's wanted, and where there's room for improvement, is sharing actionable info.
Healey prompted the panelists to consider sharing of information other than threat intelligence. As much as we think of cyber defense against threats, vulnerability disclosure, for example, is a big part of information sharing.
Schmidt said that sharing information about vulnerabilities came to his own consciousness rather late. Today, however, there have never been more people looking for vulnerabilities, more efforts to monetize the search, better tools for finding them. We're now finding fundamental design issues that result in vulnerabilities. Sometimes keeping a vulnerability secret (to give vendors runway to fix it) is the best thing for effective information sharing. Such disclosure needs to be responsible. Let us say we agree that we should tell vendors of vulnerabilities in their products. Do you tell the US Government? Or do you tell foreign governments? Especially governments whose CERTs are indistinguishable from their foreign intelligence services?
Schwartz said that the President's Executive Order is intended to foster information sharing internationally, and the ISAOs should do so. Sachs suggested that international cooperation during the Y2K era offer a useful lesson: a follow-the-sun model of willing collaborators who can do something about the problem seemed to work.
Many of the ISAO members are, and are going to be, multinationals and other companies who operate internationally, said Schmidt. Thus it's not a new problem. Some of the Executive Order's provisions about clearances are intended to address the challenge of sharing information with companies that operate internationally.
After some general discussion of privacy as an important issue that needed to be and presumably would be addressed, Healey asked the panelists if information sharing would have helped Sony, or JPMorgan.
Sachs thought it depended upon individual action. Schmidt said directly, "Yes. It would have helped." A big problem is preparing for the wrong adversary, and information sharing would help in this regard. As we understand threat actors and their motivations, sharing such insight might indeed have helped Anthem, Sony, and others understand and prepare for the threats they face.
Schwartz was very encouraged by the number of companies at last Friday's summit expressing their commitment to the NIST framework — requiring it of their vendors, insurers requiring it of their policy holders, and so on.
In response to a question that suggested policymakers' emphasis on security clearances was misplaced, Sachs answered that classification and clearances were indeed barriers to effective information sharing. Many tech experts don't hold clearances, and may not even be clearable. And the Government may be prone to over classification. The Government needs to think about the tear-line — the part of the information that can be shared — in advance. It's a problem when we share classified information that then can't be used.
In any case, Schwartz observed, "We're not going to clear our way out of the problem," and Healey suggested a useful rule-of-thumb: "If the bad guys are putting their stuff out on the Internet, that stuff should be considered as unclassified as any cat picture."
A questioner asked if there were companies one would not like to see participating in an ISAO. Sachs thought that, since sector-based ISACs are sector-specific, that suggests an obvious screen for sector-centric ISAOs. Other sharing groups receive nominations for memberships and vet their candidates, and this is another option for ISAOs. Such circles of trust are important, and can work quite well.
Healey noted that companies like FireEye, Crowdstrike, and TruSTAR are well on their way to developing workable models for cyber information sharing. Schwartz advised watching for legislation and RFPs to clarify how such companies can function as ISAOs.
As the session concluded, Sachs said there's plenty of room for the public sector to see, infer, and share, and there's plenty of room for the private sector to see, infer, share, and sell. The public and private sectors can amplify one another's contributions. ISAOs will need to be holistic — considering people as well as networks.