Companies are generally willing to share threat “indicators," such as the IP address of a phishing scam making the rounds, rather than report specific incidents, said Andy Ozment, the Department of Homeland Security's assistant secretary of the office of cybersecurity and communications, who took the poll in stride as a guest speaker. "The legislation will make that more clear."
[ Related: Boards are getting more involved in cybersecurity, but is it enough ]
The U.S. Senate in October passed the Cybersecurity Information Sharing Act, a well-intentioned band-aid for the rash of data breaches that have buffeted the corporate sector. Ideally, companies would share with DHS more information about threats they are seeing in their networks, which would contextualize the data and share it with other companies and federal agencies. The law seeks to protect companies from private lawsuits, a major stumbling block to information sharing. Ozment said the DHS would begin sharing cybersecurity threat information with private companies later this month.
Ozment, who oversees a $930 million budget and workforce created to bolster the nation’s cyber and communications infrastructure defense, says companies can relay threat indicator information from their intrusion detection system to one of their servers. Companies then relay it to DHS, which has created a “giant mixing bowl of indicators,” which are stripped of information about employees. He also said cybersecurity vendors would be able to use the data to build their own products.
[ Related: 5 biggest cybersecurity concerns facing CIOs, CISOs in 2016 ]
While he allowed that companies are much more reticent to report hacks, Ozment encouraged companies to communicate incidents to law enforcement or DHS, which would grant statutory protections where the data can't be used for regulatory purposes, civil litigation or Freedom of Information Sharing Act requests. "The bill says that if you're sharing information for cybersecurity purposes, then you’re protected against this liability," Ozment says.
Companies are contemplating how to share not only information, but talent. Jim Motes, CISO of Rockwell Automation, has proposed a cooperative staffed by the best engineers from member companies, which he says would be better positioned to protect corporate networks than most managed security service providers (MSSP).
Although Ozment attempted to put a friendly face on the government’s information-sharing efforts, he faced a skeptical crowd of CIOs from Lockheed Martin, American International Group, Allstate and other Fortune 500 companies.
[ Related: CIOs seek cybersecurity solutions, bigger voice in C-suite ]
NuStar Energy CIO Manish Kapoor noted that his CISO was “freaking out” after the company received an addendum request for a commercial contractor to comply with National Institute of Standards and Technology (NIST) standard for protecting critical infrastructure within 90 days. He said this was a tall task because “NIST standards are really complicated.”
Ozment, whose agency provides support for the NIST standards, said that this is happening in every industry, adding that a singular standard is better than too many standards. “The benefit of the NIST cybersecurity framework is at least we can all agree on it because the worst case for everybody is a tower of Babel … competing regulations, competing contractual demands … nobody wants to live in that world and that is why we did the NIST cybersecurity framework.”
Ultimately, Ozment said: "We’re there to help you, we want to find the bad guys on your network, kick them out and get you back up on your feet again," he says. Despite those good intentions, the DHS must overcome the perception problem it has among some CIOs. As NuStar Energy’s Kapoor puts it, “Whenever I hear somebody say ‘I’m from the government and I’m here to help you’ I get nervous.”