DHS tries sharing cyber threat data differently

Friday - 5/14/2010, 6:58am EDT

WFED's Jason Miller

Click below to hear the report

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

The Homeland Security Department is testing an approach that could change the way the government secures its computer networks.

DHS and the Defense Department are in the middle of a pilot program with financial services companies to share cyber threat data in real time from each of their networks and to review intrusions and activity on their networks.

"This is an opportunity for us to really look at data across government and industry," says Greg Shaffer, DHS's assistant secretary for cybersecurity and communications at the 37th Annual Communications and Computer Association's Washington Caucus Thursday. "The pilots are moving us in the direction of being more operational. The end goal is to reduce risk. We are trying to find ways to information share that is operationalized and actually helps both government and industry reduce the amount of risk involved."

A second pilot focuses on letting cleared personnel from companies view secret or classified threat data at state fusion centers.

Shaffer says these individuals now must come to Washington to view the sensitive information.

The goal is to create a forum for DHS to be able to discuss across critical infrastructure sectors and levels of government information pertaining to threats, including vulnerability identification, threat analysis and consequence information.

A third pilot is a proof of concept using Einstein 1 software on the Michigan state government's networks.

"The purpose of this study is to help DHS develop a program that will help state governments enhance their cybersecurity and to increase DHS overall cyber situational awareness," says John Denning, a DHS spokesman.

Shaffer says DHS wants to use all the capabilities of the private sector and government to improve cybersecurity across the board.

"The actionable data that we can share, the material that actually allows us to tune our solutions both in government and industry has to be as available as we can possibly make it for both sides to most efficiently reduce risk," Shaffer says. "Holistically, the risks that we have are never going to be reduced unless we do exactly that-unless we are sharing the data across these various domains and we are doing it as quickly as we possibly can, we are not going to be in a position to deal with the growing and increasing rate of attacks and more sophistication that we through the groups and attackers that are engaged and involved."

To make this sharing happen more quickly, Rep. Anna Eshoo (D-Calif.) says agencies need a better approach for companies to report cyber threats that establishes trust.

"Companies won't report if they are going to be bombarded by dozens of government agencies each wanting to investigate the incident," she says. "The government needs to streamline the process when it comes to cyber reporting so that it is clear to industry what to expect when you step forward."

Eshoo, whose district includes Silicon Valley, says the sharing must be a two-way street. Too often, she says, the government makes important threat data classified.

"We need to think this through very smartly and there has to be an atmosphere where information is not only safe, but that it is encouraged," she says. "Industry is a necessary partner in operating the networks and it does us no good in my view to keep critical information from our partners."

For DHS and industry to share information, first they must be collecting and analyzing threat data.

Shaffer says DHS is making progress in gathering federal information. He says DHS has installed the Einstein 2 intrusion protection and detection software on 12 of 21 agencies that will run their own Internet gateways under the Trusted Internet Connections initiative.

"It allows us to examine the traffic that moves in and out of federal networks and look for malicious traffic in near real time," he says. "That gives us the ability to know when something is happening and respond more quickly to risks that are faced by the network."

But a recent Government Accountability Office report didn't paint a positive picture of the Einstein 2 implementation. GAO found 12 agencies had not set a time table to begin their implementation.

And one agency security officer, who requested anonymity because they didn't have permission to talk about this subject, says it's taking their agency so long to install Einstein 2 because the memorandum of agreement with DHS is stuck in the approval process.

When Einstein 2 is fully deployed in the coming years, Shaffer says DHS expects have more than 100 agencies using the software and reporting data to U.S. CERT.