When it comes to protecting the nation's critical cybersecurity infrastructure, tech leaders within the private sector ought to coordinate with the U.S. Federal Government, said National Security Agency director Michael Rogers to a crowd of corporate executives in November.
Rogers explained that the recent slew of attacks directed toward private entities, including incidences with Target and Sony Entertainment, demonstrates the need for a public-private partnership to address cyber incidents more effectively.
However, at a time when President-elect Donald Trump's forthcoming handling of the NSA and cybersecurity is unclear, many executives are still unsure of what sharing their information with the government entails and whether is the right thing to do for the safety of their businesses.
Earlier this year, the Department of Homeland Security and the Department of Justice released the final procedures for how the government will implement its Cybersecurity Information Sharing Act of 2015, an effort to encourage businesses to share their threat information. The legislation encourages enterprises to coordinate with the government on information by offering them immunity and exemption from antitrust laws and Freedom of Information Act requests.
Still, businesses are often skeptical of how the government plans on using their information and uncertain of whether they will be truly free of liability concerns, according to Daniel R. Stoller, senior legal editor at Bloomberg Law Privacy & Security News.
"The government may use the information to prevent or mitigate a specific threat of death or bodily harm and prevent or mitigate the sexual exploitation of a minor, among other purposes," said Stoller, in an interview with CIO Dive. "This leaves companies with at least some uncertainty about whether they may be able to successfully obtain liability protection if they decide to share cybersecurity threat data with the government."
So, to clear up uncertainties on how exactly the government wants to share data with the private sector and how it will use the information, CIO Dive spoke with Dr. Neil E. Jenkins, the Director of Enterprise Performance and Management Office in the NPPD's Office of Cybersecurity & Communications. He answered our questions on why the government wants to share data, as well as the benefits that the private sector could reap from a partnership. This conversation has been condensed.
Why should private companies consider sharing their information with the government?
Jenkins: Our main mission in working with the private sector in particular is in providing them with the information they need to secure their own networks. In terms of coordination, what we have found is that in order to do the job of cybersecurity, we have to share the information as broadly and as quickly as possible on as many type of incidents as we can. What that means is that when we see incidents on federal.gov, we turn those indicators to the rest of .gov and the private sector.
When one entity in the private sector tells us about an incident through our automated indicator system, we boil that down, and then we share that information with rest of the private sector.
So, if a financial institution shares information with us, those indicators could also be useful to other sectors. It's a way to cross-pollinate as many indicators as possible, so that everyone can protect themselves.
One of the other main roles we provide is incident response in light of a cyberattack. We can provide entities with recommendations on what they need to do, and we can package those indicators up and get them out to the greater community to mitigate the effects of an attack.
Why do private institutions often feel wary about working with the government on cybersecurity?
Jenkins: One of the most common things I've heard are that private companies are worried that they will have liability concerns if they share information with the government and potentially being found to be at fault because of something.
One of the things we try to do to work with that issue and alleviate that pressure is to offer civil rights, privacy and liability protections to companies, through the CISA legislation that came out in the end of 2015. So as quickly as we get an indicator from a private entity, we do a privacy scrub on it before shipping that out to the broader community. Private sector entities that share that information with us by the statute get liability protection for doing so. They are not going to be at fault for sharing that information with us.
Then, of course, there are also some trust issues that private entities have with sharing their information with government. What we try to do is make sure that when we do basic indicator sharing of IP addresses or email addresses, which are actually threat vectors, we maintain privacy and civil liberties by offering entities in the private sector liability safety. We are showing them that what we are doing is beneficial to them and won't hurt them down the road.
What does the government do when private institutions face a significant cyberattack? For instance, the most recent DDoS attack on Dyn.
Jenkins: So for example, the DDoS attack against Dyn affected Twitter and Netflix and other companies, because it was an attack against the internet infrastructure. So an attack on Dyn ended up having an effect on multiple entities.
We proceeded by getting information from different sources about what IP addresses were attacking Dyn, where the DDoS attacks were coming from. We were getting those from Dyn itself, from companies that mitigate denial of service attacks, and from communications providers. We would package all this information up and send it out to the larger community so that companies could do what they needed to handle the incident more effectively.
Communications providers would use the information to look at what they could do on their networks in order to redirect traffic away from Dyn. That information was used by DDoS mitigators to populate their systems, so they could defend networks better. We share that information out to departments within the federal agency, to other critical infrastructure entities, response teams, and all of those entities are then able to take the actions.
On that day, the first attack that happened in the morning against Dyn, and it took about 3-4 hours to mitigate. It happened again in the afternoon, when we had more information, and the attack only worked for about an hour. The attack at night was over in less than a half hour. So, the information that we had shared allowed Dyn to mitigate the attack, so that it didn’t really have an effect at all.
The other thing we can do is send teams out to help entities and their teams fix issue they are having. We have teams that can go out and help people clean up their networks. For instance we have National Cybersecurity and Communications Integration Center, which can handle the technical response, and then the FBI can actually go after the bad guy. Within that framework, the DHS acts like a fireman, and the FBI is the police to find out who started the fire.
What's the business case for a private-public partnership on cybersecurity?
Jenkins: In terms of systems like [Automated Indicator Sharing] and many of the other services we provide, there is not much cost for entities to participate in it. For AIS in particular there is an upfront cost and a maintenance cost of having a server that can receive the information, but after that you are getting information that we have as quickly as we can provide it at no additional costs.
By providing these indicators as quickly as possible, companies can provide that information back to us, and we can share that information out broadly. We build an ecosystem of everyone sharing and knowing what the problems are, as well as the pertinent threat indicators.
It’s important to note that as we move forward just into cyber generally, what we are finding is that more and more functions of society are tied in with cybersecurity and the information technology systems that support it. It could be the data that’s present on networks or IT networks, which are connected to control systems, that do anything from provide power to power grid or manage the financial services sector. It's true, we have gotten to a point where CEOs think of cybersecurity as one of their main risk vectors, but not everyone does.