ANAHEIM, CALIF.–The sharing of information on threats and attacks between government agencies and companies in the private sector has been tried numerous times and in many different ways over the last decade, with varying degrees of success. The need for information flowing in both directions likely is more pressing than ever right now, with high-level attacks targeting critical infrastructure systems and utilities every day, but much of that data in the government realm remains classified and few enterprises are eager to reveal details, either. As the attacks continue, officials say there may be a need for a new mechanism to get the information flowing.
One of the main problems when it comes to information sharing programs is that the data on new threats and attacks needs to be shared as the attacks are happening, and that’s difficult to accomplish. In the middle of an attack, security teams and incident-response groups are concerned with stopping the attack, discovering what systems have been compromised and determining whether any data was stolen. Packaging up the information on what happened, even if it’s readily accessible, and making it available for others is typically a low priority.
Enterprise IT groups need to act to protect their own assets and often don’t have the time or resources to worry about whether the same kind of attack might be hitting other companies in their industry. This is one of the obstacles that has derailed many data-sharing programs, as much of the data that’s eventually made available is too old to be of use.
“The private sector can’t wati for Congress to act. They see attacks and they need to act right away,” Howard Schmidt, former White House cybersecurity coordinator, said in a meeting here last week. “Defense contractors are the poster children for this.”
Companies in the defense industry are constant targets for attackers of all stripes, but especially for the high-level attackers looking to exfiltrate intellectual property such as weapons plans. The government has had a program in place for some time now to share attack and threat data with defense contractors, called the Defense Industrial Base Cyber Security Information Assurance Program, but several companies already have withdrawn from the program and it ran into issues with the ability to disseminate classified information.
Schmidt said that the DIB program had the right intentions but was hamstrung by the classified-data issue is a pretty large obstacle. He said that the White House is working on a new way of getting things moving, which could come in the form of an executive order from the president.
“There could be an executive order to have the executive branch direct information sharing,” Schmidt said.
That would be a boon for companies that have access to that information, but it wouldn’t solve the larger problem of weak spots riddling the nation’s critical infrastructure as well as the private companies who work on sensitive projects. That’s something that is going to take years and billions of dollars to fix, and there’s no clear path to getting it done.
“People always ask why we don’t just rip out the insecure systems in these places and replaces them, and the answer is that doing that for just one segment in one company in the electrical sector would cost billions to replace,” Schmidt said. “There’s an effort in place and over time you’ll gradually see security improve in the critical infrastructure. No we’re seeing a rewrite of the Federal Acquisition Regulation to make sure the services that the government is buying are being sold securely.”
Overall, Schmidt said, despite the problems and ongoing attacks, he’s encouraged by the progress that’s being made on security both in the private sector and the federal government.
“Every time something happenes, they say it’s a wake-up call. No, we’ve all been awake on this for a long time,” he said. “Is it possible something physical will eventually happen? Yes. But we’ve had disruptions at the banks and other things and yet the machine still runs.”