DHS Courts Private Sector For Threat Intelligence-Sharing

RSA CONFERENCE -- San Francisco -- The US Department of Homeland Security doesn't want to "cannibalize" existing cyberthreat-intelligence services and operations, but rather work with and help them thrive, DHS undersecretary for cybersecurity and communications Phyllis Schneck said here yesterday.

Schneck, who works with the National Protection and Programs Directorate of the DHS, in a presentation here, outlined how the DHS National Cybersecurity and Communications Integration Center (NCCIC) will operate as a central repository for threat intel-sharing under the new Executive Order encouraging more sharing of intelligence in the federal government, and between the feds and private industry.

Meanwhile, Congress this week inched closer to delivering cyber security legislation that encourages private industry threat intel-sharing: the US House of Representatives passed two bills in the past two days on cyberthreat-sharing, the Protecting Cyber Networks Act, and the National Cybersecurity Protection Advancement Act, which also provide liability protections to companies and organizations in the private sector that swap threat data with the feds. The Senate is expected to vote on similar legislation next month.  

DHS is on the lookout for security talent as well. DHS Secretary Jeh C. Johnson announced in a keynote here that the agency will open a satellite office in Silicon Valley to tap the technology talent in the region and strengthen ties to the security industry. (Federal law enforcement also was recruiting here: At the FBI booth on the conference show floor, officials were distributing information about cybersecurity job opportunities in the agency's cyber division.)

Schneck said the DHS wants to build trust with the private sector, and leveraging the private sector's talents and views into the threatscape provides the best defense against cyber attackers, she said. But she acknowledged that earning the trust of the business world is no easy feat for the government these days. "This is the hardest time ever for most companies to share with the US government, especially those who have [operations] overseas" as well, she said.

DHS NCCIC officially serves as the central portal for threat intel-sharing. DHS Secretary Johnson announced the that the NCCIC now can deliver and automate threat indicators in machine-readable format.

"Today we are sharing indicators with an initial set of companies and are in the process of adding others. Later this year, we will be in a position to begin to accept cyber threat indicators from the private sector in automated near real-time format," he said. "We have set up the NCCIC as your primary pathway to provide cyber threat indicators to the U.S. government. Yes, the government is trying to make it easy for you." 

[How some intelligence-sharing organizations operate in the face of today's threat landscape. Read ISACs Demystified.]

Schneck noted that DHS is mindful of privacy issues of participants. "The NCCIC is the core of where the cyber raw materials are, not private information. We work closely with privacy experts … which is why we collect enough data to protect and still do it right."

But to truly provide this full picture of the threats, government and the private sector need to share and pool their intelligence data. "The more tools we can put in there, the better awareness we get. We can then use those indicators and push them out, block [threats] and make more educated decisions on what to block and where," she said.

"We cannot do this by ourselves," she said. "You are our customers and also our providers" of intelligence, she said.

The NCCIC now offers machine-to-machine transmission of intel, via the STIX format language protocol and the TAXII delivery protocol. One way to make it harder on the bad guys is having this level of timely situational awareness, according to Schneck.

"We're not just sending a pretty PDF. We're going from PDF-to-person [delivery] to machine-to-machine," she said.

The NCCIC will also provide a barometer and thermometer of the threat "weather," not just flashing lights, she said. "I want to make sure … everyone has access to what the government can bring," even small organizations, which she noted also provide valuable data about adversaries their systems are facing.

ISACs and the new ISAOs will provide aggregated indicators that NCCIC can correlate with its partners to build a bigger picture of the threats.