Current and former policymakers admit it: The U.S. government needs do a better job sharing cyberthreat information with the private sector if it’s going to defeat increasingly complex cyberattacks from nation states.
The exchange of cyberthreat information between the government and companies was the cornerstone of a 2015 bill hailed as landmark legislation to protect against digital attacks. But more than two years later, these comments at a Cyber 202 Live event hosted Friday by The Washington Post reveal the U.S. government has an incredibly long road ahead to effectively implement the legislation. Officials are finally acknowledging they have been too focused on trying to get companies to share information with them -- and less on sharing with private companies who want threat intelligence the government detects.
“No company out there, no state out there is going to overcome this challenge by themselves. We have to work together,” said Christopher Krebs, undersecretary for the Department of Homeland Security’s main cyber unit, the National Protection and Programs Directorate.
“We have to be thinking more broadly,” added Tonya Ugoretz, director of the Cyber Threat Intelligence Integration Center, which tracks cyberthreats from within the Office of the Director of National Intelligence. “The U.S. government does not have the monopoly on intelligence when it comes to cybersecurity.”
Ugoretz said the government could create a more “holistic picture” of the threats it sees by forging new relationships with the private sector's cybersecurity industry.
“The more that we can create a dialogue and mechanisms for sharing information between government and private sector back in the other direction,” she told my colleague Ellen Nakashima at the event, “that will help all of us be better able to play defense against some of these efforts.”
The Cybersecurity Information Sharing Act created incentives for private companies to share their threat intelligence with the federal government. By giving them legal immunity and setting up a more formal repository for that information through DHS, the hope was that the exchange of information would better prepare the country to defend collectively against attacks.
But few companies are participating. As the website NextGov reported recently, just six nonfederal entities have signed up to share their data. Lawmakers who supported the legislation had expected the number to rank in the thousands, according to NextGov.
Still, the fact that they’re not sharing doesn’t mean there’s nothing to share. All industry sectors are facing widespread threats — and it's going to take a “whole-of-government” response to help them, panelists said.
“If you talk to [chief information security officers] who are in financial institutions, they shake a lot and they sweat and they don’t sleep much, because they are overwhelmed at the sheer level,” Mike Rogers, the former Republican chair of the House Intelligence Committee, told my colleague Carol Leonnig. “You used to have criminals only trying to get in — now you have nation-states trying to get in, which makes their job incredibly difficult.”
“And we’re all going to pay a price for that,” Rogers said. “Without a concerted effort this is only going to get worse.”
There have been hopeful developments of collaboration, panelists said. One major success story, Ugoretz said, was the government’s work with private cybersecurity researchers to investigate and attribute the devastating WannaCry ransomware attack to North Korea. In that instance, she said, private-sector researchers had detailed data on the cyberattack that they shared with DHS and the intelligence community. “We relooked at that data that came from the private sector and I think realized what we had,” Ugoretz said. “The importance was having the relationships and the trust to be able to go to different partners and say, 'This part of the community needs this piece of information that another part has. And also, to be that kind of nudge to the community.'”
Krebs also noted, for instance, that DHS and the FBI are working with Microsoft to investigate unsuccessful hacks on three congressional candidates that the company revealed last week.
But the panelists agreed a broader partnership is necessary.
“It’s not just about government working together — it’s about industry and government working together,” Krebs said. “We have to have integrated, cross-sector, government-industry collaboration in the cybersecurity space, in the critical-infrastructure protection space. And that’s where we’re going.”