Andrea Danti - Fotolia

Public/private threat intelligence sharing faces roadblocks

The U.S. government says it wants to improve threat intelligence sharing between the public and private sectors, but experts are unsure that is possible in the current climate.

Representatives for U.S. intelligence agencies appear to be on a tour to promote better threat intelligence sharing between the public and private sectors, but experts are unsure how likely that effort is to succeed.

Richard Ledgett, deputy director of the National Security Agency (NSA) and James Comey, director of the FBI, commented recently that cybersecurity defense would be improved for enterprises if businesses were more willing to share cyberattack information with the government.  

Ledgett said that without better threat intelligence sharing, enterprise may be outmatched.

"We need to figure out: How do we leverage the private sector in a way that equips them with information that we have to make that a fair fight between them and the attacker?" Ledgett said in a recent cybersecurity forum.

Ari Schwartz, former senior director for cybersecurity on the United States National Security Council Staff at the White House and current managing director of cybersecurity services and policy at Venable LLP based in Washington, D.C., said security leaders in the private sector are not overly impressed with the information that the government has. 

"I don't think that more information sharing from the government is going to make a huge dent in the cybersecurity issue," Schwartz told SearchSecurity. "I do think that government information will help certain kinds of companies in certain situations and therefore is worth pushing for, but anyone suggesting that it is going to change the ability to protect most companies is overstating the case. Greater info sharing is helpful, but it does not solve every cybersecurity problem that we have."

Comey addressed this issue in more depth last month, when he said it was an issue of trust between the intelligence community and U.S. businesses.

"We have to figure out how to share information more effectively across a barrier -- there must always be a barrier -- between the public and the private. We must find a way to make the barrier -- consistent with law and policy and norms -- semipermeable," Comey said. "Because nearly all of the digital world is in private hands in this country, and it should be. That's a wonderful thing. But that means all the victims, all the indicators of where the bad guys are and what they're doing, lies in private hands. And, we're in a terrible place. A vast majority of computer intrusions in this country are not reported to us."

Comey admitted the government may go overboard by "holding close" classified data and could open up more, but he also noted that companies should trust the government more and not hide breaches.

"We're in a terrible place," Comey said, adding "You're kidding yourself if you think your interests and our interests are not aligned. It's shortsighted to think, 'I need to get on with my work. I'm not gonna tell anybody about this.'"

A lopsided case for threat intelligence sharing

Sergio Caltagirone, ‎director of threat intelligence and analytics at Dragos Inc., said the government "faces a cultural over-classification challenge" and has failed at threat intelligence sharing on larger scales.

"Their sharing challenge is solely of their own making and change will not come easily or quickly," Caltagirone told SearchSecurity. "Aside from sound bites and congressional grandstanding, nobody has yet even proven that what the government can or will share is meaningfully valuable. We still see epic breaches by other state actors even with the entire power of the U.S. government and national intelligence apparatus applied to the problem. The fact is, national intelligence missions are not intrusion detection engines nor do they actually produce intelligence useful to network defenders."

Comey did offer one example of successful threat intelligence sharing in the Sony hack, which he said "likely would have been worse but for Sony's relationship with the FBI" because the FBI knew the company, personnel and layout and could respond quickly.

"I've told all the CSOs in big companies around the country, 'If you don't know your FBI office and they don't know you in that same way, you're failing at your job,' We need to make that barrier semipermeable in an appropriate way," Comey said. "We need, culturally, to get to a place where the default is figuring out how to equip the private sector with those indicators of compromise, so they can protect themselves."

Rebecca Herold, CEO of Privacy Professor, said one of the biggest issues is the current "perception that all benefits for sharing data will be going to the government, and the businesses doing the sharing will be creating significantly more risks by doing so."

"What benefits can the government provide that businesses cannot do better themselves? If businesses, and the non-government industry groups and research organizations and data sharing peer groups, can identify and create better security controls and protections without the interference from the U.S. government, there is no motivation to join any government sharing programs," Herold told SearchSecurity.

Schwartz said this was the key issue because "there are no legal roadblocks. It is all culture."

"They need to continue to promote sharing [and] demonstrate success through the Automated Indicator Sharing program and promote Information Sharing and Analysis Organizations," Schwartz said. "The majority of the rest are a general concern from companies about sharing breach information with anyone outside the company. This is harder to overcome. The best way is to build sharing organizations that engender trust over time."

Trust issues hinder threat intelligence sharing

Caltagirone said the government needs to build trust because "for companies, information sharing with the government means cost and risk." 

"Unless there is an incentive for sharing, or penalty for not sharing, there is no way to justify the cost and risk. The government has not been known to be trustworthy in their information protection and a breach disclosure has real financial costs to a private entity," Caltagirone said. "Breach disclosures must be accompanied by risk reduction, trust building and actual value returned for the disclosure. Until those are met there is only disincentive for private company breach reporting."

Herold said there is a "huge lack of trust from businesses and other organizations to share data with the government agencies" due to "surveillance-happy intelligence agencies" and the government proving itself incapable of protecting its own systems from data leaks or breaches by insider threats and foreign actors.

"There are some talented and highly knowledgeable information security experts working for non-government agencies that believe -- and rightly so given recent history -- that they can better defend against cyber attackers than any help they are offered from the government," Herold said. She added that IT pros "don't actually see [this] as help, but as a way for the government to have an excuse to get into their systems, and to the personal information and associated activity data of their clients, customers, patients, employees and others."

The fact is, national intelligence missions are not intrusion detection engines nor do they actually produce intelligence useful to network defenders.
Sergio Caltagironedirector of threat intelligence and analytics, Dragos Inc.

Caltagirone agreed that the government faces problems with threat intelligence sharing because it hasn't effectively addressed privacy concerns.

"Privacy has become a foremost topic for many companies because customer privacy has grown into a differentiator and decision criteria for customers," Caltagirone said. "The government should focus on enabling private-to-private sharing, which has shown value without the massive risks or costs involved and reduce the role of government as the solution-provider for private industry cyber security."

Amit Yoran, CEO of Tenable, said "trust is required for information sharing to be effective."

"Having a clear understanding of what is being requested, who will have access to the data, how it will be used and how it will be protected are foundational before sharing gains momentum," Yoran told SearchSecurity. "After answering the questions above, the long-term viability and success of any real-time sharing program will be driven by either a regulatory mandate or defining a compelling value proposition for those participating."

Caltagirone said rather than focusing on threat intelligence sharing, the government should support "greater funding for cybersecurity training, tax incentives for meaningfully participating in cybersecurity sharing groups like ISACs, proper penalties for heavily regulated industries where public safety is at risk in case of breaches and supporting an industry-funded and managed organization whose role is to advise on the problem and enable community solutions."

"Collaboration between private entities is far more important than public-private sharing. Private organizations know better than anyone else what they need and require. They can collaborate quickly," Caltagirone said. "The ISAC model is a great example of this attempt, and in some cases, a success. Intelligence sharing is best done between organizations that share the same adversaries."

The NSA, FBI and Department of Homeland Security did not respond to requests for comment.

Next Steps

Learn about the CISA rules for threat intelligence sharing with the DHS.

Find out why experts think there needs to be ethical breach reporting rules.

Get info on why a lack of digital governance rules leaves consumer privacy at risk.

Dig Deeper on Security operations and management