The Enhanced Cybersecurity Services initiative is supposed to expand the number of companies that receive classified or top secret information from the government about real or potential threats.
While many companies are interested, few have decided to make the investment.
Jenny Menna, the Homeland Security Department’s director of stakeholder engagement and cyber information resilience division, said about 54 companies have expressed interest, but since it’s a voluntary program and the government doesn’t provide any funding, businesses must decide if it makes sense to invest in a secure facility and in network upgrades to handle classified data.
The White House renamed ECS as part of the February executive order on cybersecurity. DHS took over the program from the Defense Department about a year ago and changed names from the Defense Industrial Base pilot.
Under ECS, DHS shares classified and top secret cyber threat or indicators with certain companies that are considered national critical infrastructure in an effort to improve network security across the board.
The goal of the program is not to replace existing cyber capabilities, but to improve what they already do by sharing indicators, which could be anything from signatures to malware or other types of data. ECS is only one-way sharing from the government to industry partners.
“This is a voluntary program,” Menna said. “We send an indicator file to participants about one day a week. We are about to move to twice a week.”
She said the DoD DIB pilot focused only on Internet service providers (ISPs), but ECS will include a broader assortment of commercial service providers, including managed security companies and others.
Menna said companies must sign an agreement with DHS and then get accredited to accept classified and top secret data.
And it’s that process that may be the main reason why none of the 54 companies that showed initial interest since the executive order came out have moved into the program.
Part of deciding to make this significant investment is vendors must understand the value of the data and the program.
Value of data slowly coming more clear
Greg Garcia, a former DHS assistant secretary for cybersecurity, said the value of the information sharing program is clear.
“I support the financial services Information Sharing and Analysis Center (ISAC), and they have dozens and dozens and sometimes well over 100 emails a day among various members trading information about threats that they are seeing, attacks, phishing attempts,” said Garcia, who now is a consultant and a member of the advisory board. “The conversation goes around ‘Are you seeing this?’ ‘Yes I’m seeing this.’ ‘What are you doing?’ ‘I’m doing this.’ So they take that information back and are scanning their networks for the information that has been shared and therefore they are prepared. They are forewarned and forearmed. That kind of information comes from company members. It comes from the ISAC. It comes from U.S. CERT and partners and stakeholders from all around the cybersecurity community.”
He added this type of program is something DHS has long envisioned, so the fact it’s coming to fruition, though a bit more slowly than many would like, is a positive sign.
DHS is having more success with an unclassified information sharing program.
Menna said of the 45 agreements in place, about 13 are ISACs and the rest are with companies.
“We’ve shared almost 20,000 indicators in the first year or so,” Menna said. “About 60 percent come from the private sector to the government and other participants.”
She said DHS anonymizes the information when it shares threats and indicators with federal agencies through the U.S. Computer Emergency Response Team (CERT). The CISCP program also started as a pilot between DHS, DoD and the financial services companies to share unclassified indicators.
The success of these information sharing programs is because the value is clear from the beginning, and DHS continues to add more value to it.
For example, Menna said DHS hosts a quarterly meeting at both the classified and unclassified levels to share threat technology and mitigation best practices.
Garcia said companies are approaching both these programs cautiously.
“How secure is the information that they are sharing? Information that if leaked could present problems with reputation, customer confidence and other issues,” he said. “We talk about legal instruments that enable that sharing and the lawyers at DHS settle on a Cooperative Research and Development Agreement (CRADA), which among other things stipulates that information shared in a CRADA environment becomes in effect community property so you lose the rights to that intellectual property. That causes some companies a lot of heartburn and it will prevent them from participating or if they do participate they might not do so as robustly if that intellectual property provision did not exist.”
Legislation less important
Congress has been trying for the last few years to pass legislation to improve information sharing between the government and industry.
But Garcia said the success of these programs shows that legislation is only one piece of the puzzle, not the key piece.
“Other than liability protections, I don’t think legislation is particularly relevant in this case,” he said. “I think the future state we should envision was well articulated in a paper written by DHS a couple of years ago referring to the cyber ecosystem, which envisioned a network of networks that are self aware, self healing and involves machine-to-machine information sharing, malware detection and more. The more we can get automated, the more we remove the human element that has some of those sticky social issues like privacy and liability, that’s the future state we should be looking at. In the meantime, we still need to build out these trust relationships in any way, shape or form that we can find that works.”
Menna said DHS realizes the first attempt at creating these programs will not be perfect and there is room for improvement, and the more vendors participate, the quicker the information sharing can improve.