One area in information security that most CISOs agree upon is the need for members of the public and private sectors to share threat intelligence, the nature and tactics used in recent attacks, as well as best practices for strengthening information security activities.
Although information security leaders say that partnering and collaboration between members of the public and private sectors has progressed in recent years, there’s still room for improvement.
For instance, an October 2016 report published by the GW Center for Cyber and Homeland Security suggests that the U.S. Department of Homeland Security should organize the development of operational procedures for public-private sector coordination on active defense measures.
“I’ve seen great improvement (in public-private sector collaboration and information sharing) over the past three years, but there’s still a long way to go,” said Gregory J. Touhill, CISSP, CISM, Brigadier General, USAF (retired) who is currently President, Cyxtera Federal Group.
Touhill, the first-ever U.S. CISO who will be speaking on this topic at the 2017 Washington, D.C. CISO Executive Leadership Summit, believes there are specific steps that members of both the public and private sectors can take to improve collaboration and information sharing.
“First, I believe that there’s an over-classification of information in the federal government,” said Touhill. “The default ought to be declassified as opposed to categorizing too much information as classified. Over-classifying time-critical information inhibits collaboration between the public and private sectors. Further, proposals to create separate classified networks to share classified information with a select few large and wealthy firms segregates information sharing into ‘haves’ and ‘have nots’ situations. A better solution set is a scrub of existing models to get essential actionable information out to the private sector faster.”
In addition, explained Touhill, many CISOs and other executives in the private sector are hesitant to share cyber information with the federal government over fears that the information will either be leaked or that distributing cyber intelligence could potentially lead to regulatory fines and increased governance.
“Trust needs to go both ways. The private sector needs to take a leap forward in sharing information with the federal government,” said Touhill. “We need to erect bridges, not walls, when it comes to information sharing.”
Expanded outreach, particularly by information security leaders in the private sector, is also needed to strengthen trust and improve collaboration between the two groups, said John Iannarelli, Former FBI Special Agent and Senior Executive Advisor on cyber matters, who will be speaking on the same executive panel at the Washington, D.C. CISO Summit with Touhill.
“So far, most of the outreach has been extended by the federal government, but I would encourage members of the private sector to increase outreach with each other,” said Iannarelli. He points to a non-disclosure agreement that’s been developed by the FBI that prevents any information to be shared outside of discussions between participating parties.
Leveraging existing tools
Touhill believes that the Cybersecurity Information Sharing Act that Congress passed in 2015 is a good step forward towards boosting collaboration and trust between the public and private sectors. “But we need to communicate and advertise the provisions of that Act better,” said Touhill.
The same can be said for making the PCII (Protected Critical Infrastructure Information) provisions of the Homeland Security Act better understood by information security leaders in the private sector. For example, under these provisions, the federal government isn’t permitted to share any cyber intelligence disclosed by a private company without their permission.
“It’s a great program most folks don’t know about and it can strengthen the cyber neighborhood watch,” said Touhill.
For his part, Iannarelli believes that while organizations such as the U.S. Department of Homeland Security and InfraGard, a partnership between the FBI and members of the private sector, are sharing useful cyber information with companies in the private sector, executives often overlook valuable information that’s made available to them.
One of the key benefits of joining an InfraGard chapter is that once a company has been vetted to ensure they’re not a malicious actor, they will immediately begin receiving threat intelligence alerts and other useful information, noted Iannarelli.
Touhill believes that better synchronization of programs such as the Information Sharing and Analysis Centers (ISACs) and InfraGard would be helpful in distributing real-time threat intelligence and other information to private sector CISOs.
Touhill is also an advocate of the ‘if you see something, say something’ approach to sharing threat intelligence. “I’ve seen plenty of examples of nefarious activity on the .mils, .govs, and .coms that other people are seeing but not necessarily sharing. We all need to be good neighbors in the cyber neighborhood. Together, we can solve any problem.”
The bottom line, explained Iannarelli, is that organizations can’t and shouldn’t operate in a vacuum. “Everyone is experiencing the same problems and facing the same threats,” said Iannarelli. “No one is alone in this. Sharing information early on helps companies to avoid problems.”