White House seeks to shed the risk-averse cyber information sharing culture

Monday - 2/25/2013, 5:10am EST

Jared Serbu, DoD reporter, Federal News Radio

Download mp3

One of the effects of the executive order on cybersecurity President Barack Obama signed earlier this month is to begin sharing up-to-date, classified government information on cyber threats with companies that operate critical infrastructure. The White House says that broader sharing comes with some significant Homeland Security Department, and National Institute of Standards and Technology lynchpins helping the cyber order succeed.

Until now, the government has kept an extremely tight lid on the data it collects and maintains about current cyber threats, initially distributing those attack signatures to select members of the defense industrial base, and later, to some of their Internet service providers. But the president's executive order expands the sharing outside the Defense sector, to companies that own or operate critical infrastructure systems.

Any decision to expand that circle of trust involves a sensitive balancing act, said Andy Ozment, the senior director for cybersecurity in the Executive Office of the President.

"When you share information too broadly, sometimes it can lose its value because your adversaries learn of it and they change their techniques, and the information is no longer useful. At the same time, if you don't share information at all, it's very rarely useful," he told a cybersecurity conference hosted by AFCEA D.C. Friday. "So, what we've done here is said that as we're doing this risk analysis on whether to share information, we need to put our finger on the scale a bit. We're going to emphasize the benefit we're going to receive and we're going to take more risk as a government with the information we've collected. We think that's the only way to make progress, because this is a responsibility we all share, and critical infrastructure operators can't respond to cyber threats unless they're informed."

More people to receive threat information

Ozment said the White House is committed to significantly increasing the timeliness, the volume and the quality of the information the government shares with private industry. One way agencies will try to keep critical infrastructure operators better informed is to expand the number of people in those industries who have security clearances. The White House realizes the clearance process has been inadequate so far, he said.

"We hear time and again from people in the critical infrastructure sectors that they need more clearances. They say, 'Look, we have one person in our company with a clearance. He receives the threat information but doesn't have the operational abilities to respond.' Or conversely, operators can get the granular information, but they lack the strategic threat picture," he said. "We hear that message, so the executive order directs DHS to prioritize and increase the issuance of clearances to critical infrastructure owners and operators. DHS had a program for doing that and it was on hiatus for about a year-and-a-half for lots of bureaucratic reasons, which we have conquered."

Clearances, however, can't be the only answer. There are, Ozment said, simply far too many people in the universe of critical infrastructure operators who need to understand cybersecurity issues to grant clearances to all of them. The White House hopes the Enhanced Cybersecurity Services (ECS) program — formerly known as the Defense Industrial Base pilot — will fill that gap. The Defense Department already has been using the program to share cyber threat signatures with a handful of Internet service providers, so that they, in-turn, can offer protection to defense companies as a managed service.

"To use an analogy, let's say you're a military base and you want to protect the perimeter, so you have a guardhouse at the entrance to the base. In our scenario, you've contracted that guardhouse out, and they can deal with classified information. So the government gives them a classified photo of a bad guy and says 'Don't let this guy into the base', but the people inside the base don't get to see that photo," he said. "So you're receiving the protection if you're on base, but we're also not revealing the classified information too broadly. That's essentially the concept behind ECS."

Advanced understanding needed

At the same time though, Ozment said agencies continue to struggle over concerns that some companies who operate critical infrastructure don't have the capacity or know-how to understand and react to cyber threats adequately. In those cases, information sharing isn't good enough.

"What we've found is unless an organization has a basic level of cybersecurity defenses, there's no amount of sharing we can do that will make them successful," he said. "The guardhouse works if it's on the road to the base. But if you don't know how many roads are going in and out of your base, you can't put guardhouses on them, and having a photo of the bad guy does you no good if you have no understanding of the roads that are entering and exiting your base. That's the situation we find sometimes in critical infrastructure."