Encouraging industry to share evidence of hacks and attempted hacks is a central objective of cybersecurity policymaking, but who in government should receive “cyberthreat indicators” from companies continues to sow confusion.
Deputy Homeland Security Secretary Alejandro Mayorkas last week said at a Georgetown University event that his department will soon issue guidance for industry on the sharing process.
“Who are we suppose to call?” and “What will we receive in return?” are frequent questions industry asks of DHS, Mayorkas said.
The previous week at Georgetown University, FBI Director James Comey offered lukewarm remarks about the cybersecurity information-sharing “portal” at the Department of Homeland Security. Comey urged businesses to inform the FBI about breaches and to work closely with the bureau to identify cyberthreats.
He promised the FBI wouldn’t share the information with regulators, and said fears of regulatory consequences are inhibiting companies from participating in info-sharing.
Comey acknowledged that companies are encouraged under the Cybersecurity Act of 2015 to share through DHS, which in turn is supposed to send that information to the FBI and other agencies after removing any personally identifiable information.
But, Comey said, “We don’t know how that’s going to work.”
The Senate last year explicitly rejected a proposed amendment to the Senate cyberbill to extend liability protection for companies that share directly with the FBI.
The sponsors of the 2015 cyberlaw made clear they wanted to encourage sharing through the DHS portal at the National Cybersecurity and Communications Integration Center by making that the legally protected route.
That process has begun, somewhat slowly and not without confusion.
“We will grow this system incrementally,” DHS Assistant Secretary Andy Ozment testified before a congressional panel last month. “We are not going to reach all of the American economy in just a few months. I’m very happy with our rate of growth to date.”
Mayorkas said 24 companies have already connected to DHS and more are in the process of signing up.
The FBI declined to comment further on the interplay between the FBI and DHS info-sharing activities.
But a congressional source who worked on the pro-DHS language in last year’s bill didn’t take offense at Comey’s words, saying it is very early in the development of the DHS portal.
Added an industry source: “I don’t think anyone claimed that once the liability protection passed that the information flow to DHS would begin immediately. Organizations now need to work through internal policy issues on what to share, when to share and who can share.”
But the process isn’t helped when voices from different federal agencies present themselves as the proper channel for cyber-sharing, the source said.
Another business source suggested this was little more than a case of growing pains.
“Comey is trying to ease companies’ regulatory concerns, and that’s always good to do,” this business source said. “And, the FBI is right to seek information directly from non-federal entities. Until the bureau is confident that threat data sent to the DHS portal gets to the FBI in a timely way, Comey is justified in being skeptical.”
On the other hand, the source said, “I get the sense that DHS is really going to try to share indicators and defensive measures swiftly with appropriate federal entities. We need automated indicator generation and sharing to become ubiquitous, and we can’t get there quickly enough.”
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” published by Rowman and Littlefield.
