President Barack Obama unveiled a detailed legislative plan Tuesday that would give private sector companies specific liability protections for sharing technical cyber threat data with the federal government to help prevent future cyber attacks like the one that crippled Sony Pictures Entertainment and others that have compromised personal data stored by major financial and retail firms.
Obama announced the proposal during a speech at the Department of Homeland Security’s National Cybersecurity Communications and Integration Center, where he characterized cybersecurity as “one of the most serious economic and security challenges we face as a nation” and said the government and private sector must work together more closely to stay ahead of cyber criminals.
The information sharing bill is part of the administration’s effort to revive a similar proposal that failed to pass Congress in 2011. But cybersecurity experts are skeptical of the strategy, arguing in interviews with FedScoop that the detailed planning necessary to make information sharing effective has yet to be undertaken.
A senior administration official, who briefed reporters Tuesday morning on background ahead of Obama’s speech, said the growing number of threats in cyberspace have triggered clear momentum on Capitol Hill favoring the passage of an information sharing bill.
“The administration really believes that in 2015 we need to make a major push to raise the level of cybersecurity across our country and to improve our ability to disrupt, respond to and mitigate cyber incidents when they do occur,” the senior administration official said. “In particular, this proposal will authorize companies to share cyber threat indicators, which are primarily technical data (IP addresses, date-time stamps, routing information) to the DHS National Cybersecurity Communications and Integration Center … and to private sector-led information sharing and analysis organizations.”
The bill would enable that information sharing by providing companies with “targeted liability protection” as long as they take “reasonable steps to remove irrelevant identifiable information” and comply with other “reasonable” privacy guidelines laid out by the Justice Department and DHS, the senior administration official said. The liability protection is geared toward facilitating the sharing of cyber threat indicators, which the official defined as “the bits of information that you need in order to identify what is malicious reconnaissance, a method for defeating a technical control, a method for causing a user to inadvertently defeat a technical control, or malicious command and control, or some combination of those things.”
According to the official, the Justice Department and DHS are developing guidelines that will govern the use, retention and destruction of the information collected by the government from the private sector. Those guidelines will restrict the use of the information shared with the government to investigations related to cyber crime, threats to minors or imminent bodily harm.
Nuts and bolts of information sharing
In email and telephone interviews with FedScoop, more than a dozen cybersecurity practitioners expressed concern that more information sharing would not necessarily lead to improvements in cybersecurity, especially if standards for data formatting and reporting procedures are left out of the equation. And much of the responsibility for that falls to cybersecurity product vendors, they said.
“Information sharing is critical, but it is not enough,” said Cody Pierce, director of vulnerability research at Endgame Inc., an Arlington, Virginia-based cybersecurity intelligence firm. “Security engineers need better guidance on effective and easy mitigations of current threats as well as straightforward guidelines to strengthen their organization’s security posture. If information cannot be acted upon quickly and with minimum performance impact, that information will remain ineffective regardless of how widely it is shared.”
“To think that information sharing alone is the answer is naive,” Chris Pogue, senior vice president of cyber threat analysis at Nuix North America Inc., told FedScoop. “You can share all you want but ultimately you have to execute.”
But being able to act upon threat data shared between organizations requires a level of data standardization that doesn’t quite exist yet. “Sharing information about zero-day threats is difficult because most security vendors do not gather information on a timely basis from their customer base, nor is that data made available to customers in an actionable way,” said Mike Malloy, executive vice president of products and strategy at Webroot Inc., a Broomfield, Colorado-based Internet threat detection company. “Traditional [antivirus] products are designed in a way that data goes from vendor to device but not from device back to the vendor so it can be aggregated and sent back to industry peers. Since all vendors use different formats for data about malware, bad IPs, phishing sites, etc., customers find it difficult to take alerts from vendors and incorporate that into their security infrastructure.”
Malloy said the initial focus needs to be on developing shared data format agreements within the industry and within the users of the data — government agencies and commercial enterprises. But the government should not try to be the aggregators and distributors of data, he said. “They are not expert in these areas, nor do they have the funding to create such capabilities.”
Simon Crosby, chief technology officer and co-founder of Cupertino, California-based Bromium, said the financial services sector has led industry in the effort to standardize threat information data sharing. With the help of Mitre, the industry has adopted the Structured Threat Information eXpression language for describing cyber threat information, which was sponsored by DHS.
The STIX format has become “a de facto standard” for threat sharing between major financial services firms in the last year, Crosby said. “It allows an organization to share key threat data — including the addresses of remote servers used in the attack and the malware fingerprint, amongst other attributes — in a suitably anonymized form, without breaching confidentiality. STIX and other open threat indicator formats are of great importance because they allow sharing of information between different vendor toolsets. Contrast this with the proprietary formats of traditional signature feeds from major antivirus vendors to see that this is a major advance for the industry.”
Jeff Williams, CTO of Palo Alto, California-based application security firm Contrast Security, would like to see data standardization go even further: public disclosure labels. “I believe that more visibility is the right approach to tackling our cybersecurity challenges. But the government’s approach to information sharing isn’t real visibility,” Williams said. “Most of the proposed information sharing is interagency, but isn’t revealed to either buyers or sellers in the technology market. That prevents people from making informed decisions about risk,” he said.
Jon Oberheide, co-founder and CTO at Duo Security Inc. in Ann Arbor, Michigan, said information sharing is only so effective. “You can be completely informed about an adversary and their motivations and armed with all the indicators of compromise shared from other targets, but that does not necessarily equip you to defend yourself,” Oberheide said. “There is an obsession currently with information sharing and the ‘know your adversary’ philosophy. Some characterize it as ‘black-hat envy,’ where people spend so much time admiring and romanticizing the threat, instead of focusing on security fundamentals to defend against the threat.”
Williams would like to see mandatory disclosure of security practices and audit results from technology organizations. “When we buy food, there’s a nutrition label. When you buy a refrigerator, there’s an EnergyStar rating. And when you buy industrial materials, there’s a Material Safety Data Sheet,” Williams said. “Technology producers should be forced to disclose information about how their technology is constructed, what components were used and how it was tested for security. This is the least intrusive way for government to intervene in cybersecurity and the most likely to make a real difference.”
Where information sharing is working
Some experts are more optimistic about the impact that enhanced information sharing can have on cybersecurity nationwide, and they point to the successes in the financial industry as an example.
“The truth of the matter is information sharing is working,” said John Zurawski, vice president of Chicago’s Authentify Inc. “Organizations such as the Financial Services Information Sharing and Analysis Center successfully alert members to new threats, provide information on fixes and other important aspects of keeping the financial services industry safe from cyber threats. The program works very well. The three cyber attacks at Target, Home Depot and Sony were not the result of never before seen malicious codes or breakthrough cyber attack technologies. These attacks resulted from failures of basic block and tackle security.”
Stephen Boyer, CTO and co-founder of BitSight Technologies in Cambridge, Massachusetts, agreed. “Financial services has been the top sector for as long as we have been measuring. Although the top performance is not attributed to a singular action [or] to individual financial services organizations, we do see that [financial services companies] share more than any other,” Boyer said. “The FS-ISAC is the most mature and has demonstrated its value. Some of the threats are targeted, but many of the threats and issues are common. The faster the information is shared from one organization, the faster others can respond.”
For now, cyber threat information sharing remains in its infancy. And the Obama administration acknowledges it is only one part of a larger effort that is necessary to raise the bar across industries.
“Certainly, information sharing all by itself is not going to crack our cybersecurity problem,” the senior administration official said in response to questions from FedScoop. “Getting better information flows is a necessary but certainly not a sufficient condition for tackling the cybersecurity problem. We are working to make the information flows happen at a speed and a sufficient depth that we can generate almost what I think of as the weather map for cyberspace.”