DHS finds classified cyber sharing program slow to take off

Thursday - 6/13/2013, 6:44am EDT

Jason Miller, executive editor, Federal News Radio

Download mp3

The Enhanced Cybersecurity Services initiative is supposed to expand the number of companies that receive classified or top secret information from the government about real or potential threats.

While many companies are interested, few have decided to make the investment.

Jenny Menna, the Homeland Security Department's director of stakeholder engagement and cyber information resilience division, said about 54 companies have expressed interest, but since it's a voluntary program and the government doesn't provide any funding, businesses must decide if it makes sense to invest in a secure facility and in network upgrades to handle classified data.

Menna, who spoke Wednesday at the Information Security and Privacy Advisory Board meeting in Washington, said the Enhanced Cybersecurity Services (ECS) program hasn't expanded beyond the original 17 or so companies.

The White House renamed ECS as part of the February executive order on cybersecurity. DHS took over the program from the Defense Department about a year ago and changed names from the Defense Industrial Base pilot.

Under ECS, DHS shares classified and top secret cyber threat or indicators with certain companies that are considered national critical infrastructure in an effort to improve network security across the board.

One-way sharing

The goal of the program is not to replace existing cyber capabilities, but to improve what they already do by sharing indicators, which could be anything from signatures to malware or other types of data. ECS is only one-way sharing from the government to industry partners.

"This is a voluntary program," Menna said. "We send an indicator file to participants about one day a week. We are about to move to twice a week."

She said the DoD DIB pilot focused only on Internet service providers (ISPs), but ECS will include a broader assortment of commercial service providers, including managed security companies and others.

Menna said companies must sign an agreement with DHS and then get accredited to accept classified and top secret data.

And it's that process that may be the main reason why none of the 54 companies that showed initial interest since the executive order came out have moved into the program.

Part of deciding to make this significant investment is vendors must understand the value of the data and the program.

Value of data slowly coming more clear

Greg Garcia, a former DHS assistant secretary for cybersecurity, said the value of the information sharing program is clear.

"I support the financial services Information Sharing and Analysis Center (ISAC), and they have dozens and dozens and sometimes well over 100 emails a day among various members trading information about threats that they are seeing, attacks, phishing attempts," said Garcia, who now is a consultant and a member of the advisory board. "The conversation goes around 'Are you seeing this?' 'Yes I'm seeing this.' 'What are you doing?' 'I'm doing this.' So they take that information back and are scanning their networks for the information that has been shared and therefore they are prepared. They are forewarned and forearmed. That kind of information comes from company members. It comes from the ISAC. It comes from U.S. CERT and partners and stakeholders from all around the cybersecurity community."

He added this type of program is something DHS has long envisioned, so the fact it's coming to fruition, though a bit more slowly than many would like, is a positive sign.

DHS is having more success with an unclassified information sharing program.

60-40 split

The Cyber Information Sharing and Collection Program (CISCP) shares threat indicators two-ways, between the government and 45 companies or organizations across 14 different critical infrastructure sectors.

Menna said of the 45 agreements in place, about 13 are ISACs and the rest are with companies.

"We've shared almost 20,000 indicators in the first year or so," Menna said. "About 60 percent come from the private sector to the government and other participants."

She said DHS anonymizes the information when it shares threats and indicators with federal agencies through the U.S. Computer Emergency Response Team (CERT). The CISCP program also started as a pilot between DHS, DoD and the financial services companies to share unclassified indicators.

The success of these information sharing programs is because the value is clear from the beginning, and DHS continues to add more value to it.

For example, Menna said DHS hosts a quarterly meeting at both the classified and unclassified levels to share threat technology and mitigation best practices.

Garcia said companies are approaching both these programs cautiously.