Private sector participation remains limited in a Department of Homeland Security (DHS) automated cyber threat information sharing program due to a lack of timeliness in the sharing of the threat indicators with the government and because the information doesn’t contain adequate context, industry officials told a House panel on Wednesday.
For companies, it comes down to the benefits equaling or outweighing the costs of information sharing, Robert Mayer, senior vice president for Cybersecurity at the USTelecom, an association representing broadband communication providers, told the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection.
“Given the pressures on providers to ensure the confidentiality, integrity and availability of their communications networks and systems, any information sharing venue or mechanism that does not produce contextualized, timely, accurate and actionable information that improves providers’ security posture will not meet that test of value,” Mayer said.
In 2015 Congress passed the Cybersecurity and Information Sharing Act, which provides liability protections for companies to voluntarily share cyber threat information with the government and also authorized the standup of a real-time cyber threat indicator sharing platform known as the Automated Indicator Sharing (AIS) system. Even though liability protections are in place, few companies are actually participating directly with AIS.
Rep. John Ratcliffe (R-Texas), chairman of the panel, said in his opening remarks that 135 non-federal entities are connected to AIS, 22 of which are organizations representing specific sectors of the economy.
“DHS estimates the actual reach of AIS indicators to be greater than 10,000 organizations,” Ratcliffe said.
Rep. James Langevin (D-R.I.), the ranking member on the subcommittee, said industry’s level of participation with AIS is “unacceptable.” He blamed DHS, in part, because lateness and lack of context around the threat indicators.
Langevin also said industry is to blame as well, saying organizations “knocking the data being shared by AIS haven’t applied much effort to analyzing the data.” He added that “2,200 formerly classified threat indicators, I believe, certainly count for something.”
Ratcliffe said that, overall, more than 1.3 million unique indicators have been shared through the AIS system.
Ann Barron-Dicamillo, former director of the DHS team that helps watch and respond to cyber threats in the public and private sectors, echoed Mayer’s concerns with the threat indicators shared via AIS. Barron-Dicamillo, who is now vice president of Cyber Intelligence and Incident Response for American Express [AXP], said that while her company isn’t signed up to AIS, it still participates in the two-way flow of sharing of cyber threat intelligence between the government and private sector as a member of the Financial Services-Information Sharing and Analysis Center.
Both Dicamillo and Mayer said that since the passage of the 2015 cyber information sharing bill the trend toward greater sharing of cyber threat data has been positive.