Feds to private businesses: Cough up your cyber intelligence
President Obama has announced formation of a new agency - the Cyber Threat Intelligence Integration Center (CTIIC) that will gather data broadly and scrutinize it so the U.S. has a single analysis of cyber incursions, a lack that complicated and delayed the administration's response to the Sony hack.
The 50-person, $35 million agency will cull data from federal sources the CIA, FBI and NSA but will also rely on data that corporate security pros gather in their day-to-day work protecting private networks.
While the administration can set up the CTIIC without authorization from Congress, requiring private industry to contribute requires new laws that have already been proposed.
But the cost of sharing this information is one factor businesses will worry about. "No business will spend money to give CTIIC data from a sense of national pride. There will either need to be a motivating carrot or a regulatory stick," says Jonathan Sander, the strategy and research officer for STEALTHbits. He says security pros all agree sharing this data results in quicker and better responses to attacks, "But the security community doesn't write the budgets."
Another concern is that it will be hard to staff the CTIIC, given that the needed talent is limited and "those with the requisite skills can make much more in the private sector," says Ken Westin, a senior security analyst forTripwire.
Private organizations already have back-channels for sharing this type of data, says Stephen Coty, chief security evangelist for Alert Logic, usually made up of the major players in given industries, such as finance. Just as preserving confidentiality is important to these ad hoc groups, it will be of concern to businesses sharing with the government, he says. For example it's OK to say "Here's the details on a phishing campaign levied against a U.S. bank," but not OK to mention the bank's name, particular IP addresses attacked and the like.
Obama has proposed information-sharing laws that would protect private entities from legal and regulatory action for turning over cyberthreat indicators to the federal government. A group including representatives of the departments of Justice, Homeland Security, Defense, Commerce would set up policies for retaining and destroying this threat information depending on whether it meets the criteria set down in the law. The group would also set guidelines for anonymizing data included in these threat indicators.
Specific types of data should be exempted, according to Richard Bejtlich, a senior fellow at the Brookings Center for 21st Century Security and Intelligence. Any cyberthreat indicators, which is what Obama wants businesses to share, should not include personally identifiable information (PII) about individuals or that hint at PII, and should also exclude data stolen from U.S. citizens, he says in a Brookings opinion piece.
Private industry is the target of attacks that seek to steal information that is damaging either to national security attacks against defense contractors, for example - or to the economic viability of large corporations attacks designed to steal intellectual property from corporations with competitors in other countries. As such, businesses collectively hold vast and valuable intelligence about who is attacking whom and how they are doing it.
The argument the Obama administration makes is that blending this private intelligence with threat data gathered by U.S. spy and law-enforcement agencies can create a more complete picture of cyber espionage and cyber warfare.