Threat information sharing builds better cyber standards, expert says

Thursday - 10/3/2013, 5:05pm EDT

Anne Neuberger, director, Commercial Solutions Center, NSA

Download mp3

Cybersecurity experts often consider public-private partnerships to be something of a mixed bag.

"On the one hand, they're cited as critical to improving the government's awareness of what's occuring on private-sector networks and also really improving private sector ability to defend networks," said Anne Neuberger, director of the National Security Agency's Commercial Solutions Center. "On the other hand, they're frequently criticised as ineffective."

Neuberger made those remarks in a Sept. 25 speech, at the Second Annual Cyber Security Summit hosted by the U.S. Chamber of Commerce in Washington, D.C.

To illustrate the contradictory nature of these government and business partnerships, she shared the lessons NSA learned — both good and bad — in participating in public-partnership models.

Eighty-five percent of the nation's critical infrastructure is owned and operated by the private sector, she said. In addition, the private sector is responsible for building much of the individual systems of those companies, from utilities to networks to routers.

"On the private side, threat intelligence is gathered by private-sector entitites," Neuberger said. "But there's also ... government-gathered threat intelligence, and the sense is that threat intelligence is often gathered on certain entities — tactics and techniques. Based on the number of times, in various groups, we talk about the importance of greater government information sharing, there is certainly at least the perspective that that threat intelligence would be useful if shared frequently and at the right value level with the private sector."

One of the central challenges the government and private sector face in establishing a threat-sharing system is the degree of shared responsiblity both sides have, particularly between the government and large, critical-infrastructure firms.

"Critical services, as we noted, from power to water are owned by private-sector firms, but it's probably fair to say the average citizen looks to their government to ensure the resiliancy and the continuity of those services," Neuberger said. "And in addition, it's also fair that companies may spend enough to ensure that their networks securely support core business functions. But it's also probably a reasonable sense that they may feel that the ability to really gird networks from catastrophic attacks may well be something that's a shared government responsibility."

Currently, the government does not monitor private-sector networks to maintain, detect and stop malicious activity.

"As a result, if we're saying that there is that shared responsibility, the model of a partnership does seem to be at least an intermediate way to rapidly share threat and vulnerablilty information," she said.

Neuberger described two models for government-private sector work — one regulatory, the other a partnership.

"Given the complexity of setting standards and regulating technology in such a rapidly evolving area, it does seem worthwhile that we kind of take that partnership model as far as it can get us before looking towards a regulatory model," she said, adding that is the position of the government and the U.S. Chamber.

Can public-private partnerships actually work?

While a need for establishing a public-private partnerships exists, the question remains, what is the best way to make those systems work?

Currently, the federal government has three models for partnering with the private sector — general, targeted and operational. These are voluntary, cyber-specific information sharing efforts supporting critical infrasturcture protection that ensure the government is sharing threat intelligence with companies.

These efforts are different from the NSA programs recently leaked to the press by former contractor Edward Snowden.

"Those are foreign intelligence programs, where U.S. companies are compelled to respond to lawful orders," she said. "Those orders are carefully reviewed by appropriate courts and subject to strict oversite by all three branches of government," she said.

General information sharing, the first model, applies to a broad range of private entities with a focus on sharing threat information.

"Pretty much any company that wants to participate can," Neuberger said. "Mostly, it's done as one-way sharing from the U.S. government to private companies with, in some cases, limited and anonymized sharing by those private sector participants."

Neuberger pointed to the Financial Services - Information Sharing and Analysis Center as an example of a successful general information sharing entity.

Targeted information sharing focuses on highly specific, often classified, threat information shared between a small group of companies, many of whom are in the technology sector. This purpose of this model is to mobilize key technology-sector and government experts to improve the security within that realm.

"The thought there is that by actually improving the security within hardware and software products, you'll have the natural side benefit of that broad array of companies or consumers who then purchase those products naturally being protected from that threat," Neuberger said.