The Department of Homeland Security’s (DHS) role in creating processes for sharing cyber threat information between the federal government and industry, particularly through a year-old automated portal, has been valuable but a shortcoming is that the information lacks context, industry officials told a House panel on Thursday.
The ongoing cyber security information sharing efforts between DHS and industry are creating “the right kinds of muscle memory,” Scott Montgomery, vice president and Chief Technical Strategist at Intel Security, told the Homeland Security Cybersecurity subcommittee. He said that 10 to 15 years ago any cyber-related information sharing by industry with a third party “was anathema, it just wasn’t done, in fact it was considered counter-productive.”
Intel Security is part of Intel Corp. [INTC].
Although there were some initial technical issues porting to the DHS Automated Indicator Sharing (AIS) capability, “Our experiences are quite positive,” said Daniel Nutkis, CEO of the HITRUST Alliance, an information sharing organization for the healthcare industry. He said the 10-year-old HITRUST organization also had its share of problems initially in sharing cyber threat indicators among its members but eventually succeeded getting 100 percent participation.
Nutkis said that DHS has made a lot of progress in the last five years in the area of sharing cyber threat information that he hopes the department is successful in getting more private sector entities to sign up with AIS.
“We see a ton of situational awareness across our sector,” Nutkis told the panel. “We’d like to see more across the other sectors and we certainly would like to see more information being disclosed from government but the progress we’ve seen is positive.”
The “downside” of the information that is being shared is it’s “usefulness and its timeliness,” Montgomery said. The “muscle memory” that DHS and industry are developing around information sharing will help toward making the shared cyber threat indicators contain more context, he said.
“But certainly we need some better guidelines about what constitutes good data coming in,” Montgomery said.
Jeffrey Greene, senior director for Global Government Affairs & Policy with Symantec [SYMC] said he “echoes” Montgomery’s remarks, highlighting the “formal process” round information sharing between DHS and the private sector rather than just relying on “relationships.” However, Symantec is analyzing whether to plug into AIS, with a key consideration being if whether it’s too much work to figure out the context of the information it receives through the portal.
Montgomery said it’s difficult to extract things like domain names, URL’s, or some type of “fingerprint” from the cyber threat indicators, so that a given indicator is just “a needle in the pile of needles.” Context could include how the indictor was received, how it was transmitted, sender and recipient, and time of day it was received, he said.
This information is necessary for “a practitioner to sort out what to do next,” Montgomery said.