Private sector entities have begun connecting with a new automated cyber threat sharing system the Department of Homeland Security (DHS) stood up in March and the sharing of threat indicators is underway, a department official told a House panel on Wednesday.
“We will grow this system incrementally,” Andy Ozment, assistant secretary for Cybersecurity and Communications at DHS, told the House Oversight and Government Reform Subcommittee on Information Technology. “We are not going to reach all of the American economy in just a few months. “I’m very happy with our rate of growth.”
DHS Secretary Jeh Johnson on March 17 certified that the Automated Indicator Sharing (AIS) system is ready to begin the automatic sharing of cyber threat indicators among federal agencies and on a voluntary basis with the private sector.
So far, there are 14 non-federal entities that are connected to the AIS servers, Ozment said, adding that another 82 have signed terms of use with DHS and are in the process of connecting. Those entities include domestic and international companies, state and local organizations, foreign computer emergency readiness teams, and several information sharing and analysis centers, which are organizations aligned with specific critical infrastructures.
“So there’s clearly an interest in doing this,” Ozment said.
Ozment said that DHS has shared more than 2,000 cyber threat indicators with the private sector since AIS stood up. He said that some non-federal entities have have shared indicators with DHS but that specific entities did not want these shared with companies, although these potential threats were shared within the federal government, he said.
A DHS official told Defense Daily that the department hasn’t received any threat indicators from the private sector, noting that it’s still early in the process.
John Felker, director of DHS’s around-the-clock cyber security watch center, called the NCCIC, said on Tuesday that the private sector has shared very little information with DHS so far, according to a article in the publication FCW, which cited the DHS official as saying that the low rate of information sharing by industry is a typical of its “wait and see” caution.
The United States Computer Emergency Readiness Team, or US-CERT, within the NCCIC is the organization within DHS responsible for sharing cyber threat signatures with the private sector and other federal civilian agencies.
Ozment pointed out that finding a cyber threat indicator doesn’t mean there was a cyber security incident. He said an organization can find a threat indicator whether an attack has been successful or not.
Creation of the AIS system was mandated by Congress in the Cybersecurity Information Sharing Act that was approved last December. The legislation also attempts to prevent the sharing of personally identifiable information.
Ozment said that DHS doesn’t know how much personal information its systems may have automatically blocked from being shared with it but said that so far in the human scrub, which is the last blocking mechanism, no personal data has been found.
The sharing of cyber threat information between and among the federal civilian government and the private sector is considered an important ingredient in helping to mitigate and respond to successful cyber attacks.
“Only by fostering this framework where government and private entities are able to freely share knowledge of security vulnerabilities, threat indicators, and signatures can we be sure that our network defenses are getting the best intelligence available,” Rep. Will Hurd (R-Texas), chairman of the subcommittee, stated in his opening remarks.
Hurd also said that after network systems solutions provider Juniper Networks [JNPR] disclosed last December that a virus had been placed in a version of its software that made one of its legacy products vulnerable, the company quickly informed its customers of the breach and provided a security patch. He said the affected company’s customers included parts of the intelligence community and 12 federal agencies.
In response to queries from the committee in January, Hurd said three of the agencies took longer than 50 days to complete implementation of the security patches.
“This is absolutely unacceptable,” Hurd said.
Sanjeev Bhagowalia, the chief information officer at the Department of Treasury, which is one of the agencies that didn’t complete the adoption of Juniper’s security patches until nearly two months after the receipt of the fix, told the panel that his department acted quickly to patch the most important parts of its network.
Within a day, 25 percent of the patches were in place and within a week 84 percent, Bhagowalia said. In seven weeks, 93 percent of the patches were installed, he added. The reason it took over eight weeks to put the remaining fixes in place is because an analysis determined the risk was low for exploiting the vulnerability in the network configurations of two Treasury bureaus, he said.
Bhagowalia said that Treasury hasn’t discovered any data breach based on the compromised software. Hurd pointed out that the vulnerability allowed for information to be decrypted and read without the data being exfiltrated. Still, Bhagowalia replied, a detailed analysis uncovered no breach but nonetheless Treasury plans to hire outside help such as FireEye’s [FEYE] Mandiant threat analysis division to further examine the matter.