The Department of Homeland Security has taken an important step toward consolidating its role on cybersecurity information-sharing, and now it will be up the department to actually make the highly touted, closely scrutinized process work.
DHS last week certified to Congress that its automated cyber threat information-sharing capacity, known as “AIS,” is up and running at the department’s National Cybersecurity and Communications Integration Center.
The certification was required under the Cybersecurity Act of 2015, which placed DHS at the center of a cybersecurity info-sharing constellation that includes various arms of the government as well as the private sector.
The department last month met several other deadlines under the new law as it builds up the architecture for the info-sharing system and couples it with mandated privacy and civil liberties protections.
Those protections have been ridiculed as grossly inadequate by digital privacy groups, but if DHS can pull this off, it will have produced a valuable model on government-industry collaboration against cybersecurity threats.
“We’re cautiously optimistic,” said an industry source who received a briefing on the system from DHS Secretary Jeh Johnson and senior cyber official Andy Ozment.
Johnson declared the system “open for business” in an appearance at the DHS “NCCIC” facility in Arlington, Va. He characterized it as the “see something, say something” of the Internet.
“The goal of the AIS initiative,” according to DHS, “is to achieve real-time sharing of cyber threat indicators by enabling DHS’s National Cybersecurity and Communications Integration Center to (1) receive indicators from the private sector and other non-federal entities; (2) remove unnecessary personally identifiable information; and (3) disseminate the indicators, as appropriate, to other federal departments and agencies and the private sector and other non-federal entities.”
That dry description doesn’t tell the story of how much is at stake here.
A robust system of real-time information sharing is seen by most cybersecurity policy mavens as the key to turning the tables on sophisticated state-sponsored and other hackers who frequently skip through the cyber defenses of both government and corporate networks.
DHS’s ability, or inability, to lead and manage such a system was a constant undercurrent of a congressional debate that culminated in December with enactment of the Cybersecurity Act of 2015.
Breaches at various government agencies cast doubt on DHS’s ability to secure the government’s own networks, much less the Internet as a whole.
But Melissa Hathaway, who served as a top cybersecurity adviser to President George W. Bush and in the early days of the Obama administration, said in an interview late last year that an operational information-sharing role was probably the place where DHS could have the most success.
The department is frequently asked to perform three distinct tasks on cybersecurity, she explained: developing policy, building relationships with industry and across government, and performing the operational role of collecting and sharing cyber threat information.
“It’s doing all three poorly,” she said at the time. “We’ve spread them like peanut butter in three directions.”
On the other hand, info-sharing offered a possible “win” for the often beleaguered department. “If they can get good at one function,” she said, “maybe they can improve in other areas.”
The pieces are almost in place to fully test that proposition. DHS is also asking Congress to pass a bill that would reorganize and streamline its cybersecurity functions, which could happen this year.
Now it’s up to DHS to deliver.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of “Hacked: The Inside Story of America’s Struggle to Secure Cyberspace,” coming this spring from Rowman and Littlefield.
