Lawmakers receive lukewarm assessment of cyber cooperation between feds, private sector

Lawmakers receive lukewarm assessment of cyber cooperation between feds, private sector
© Victoria Sarno Jordan

Legislators received a lukewarm assessment of the federal government’s cooperation with the private sector on cybersecurity at a hearing on Thursday. 

Industry experts told a congressional panel with oversight of the Department of Homeland Security’s (DHS) cybersecurity and infrastructure protection efforts that the agency needs to share more information more quickly and robustly with private organizations to safeguard the nation against cyber threats. 

The DHS, which is now headed by John Kelly, has a number of programs to engage and share information with the private sector, including the Automated Indicator Sharing (AIS) capability that allows the public and private sectors to trade information about cyber threat indicators, such as malicious IP addresses or the origin address of a phishing email. 

Despite these efforts, lawmakers acknowledged on Thursday that the government has a ways to go on cybersecurity cooperation with private industry. 

ADVERTISEMENT
“Our collective ability to combat these threats, with government and the private sector working together, will be one of the defining public policy challenges of our generation,” Rep. John Ratcliffe (R-Texas), chair of the Homeland Security Committee's cybersecurity subcommittee, said in opening testimony.  

“While DHS has made headway in this space and strengthened many initiatives in its role as the civilian interface and coordinator across 16 critical infrastructure sectors for cybersecurity, very clearly more work needs to be done.” 

Industry representatives described DHS information-sharing programs as a good start, but pointed to shortcomings — particularly in AIS — that prevent them from understanding the full scope of potential threats.

“These indicators of compromise are like breadcrumbs. It is only when you aggregate them in the context that you see what the meal is. The sharing of individual indicators of compromise without context leaves practitioners asking more questions than having them answered,” said Scott Montgomery, vice president and chief technical strategist at Intel Security Group. “We’d like to seek innovative ways to further grow the information sharing ecosystem.” 

Another industry CEO said that the past few years have seen substantial progress, but there's more to do.

“[There is] no question that it is not as effective as it could be, but based on where we were five years ago, they certainly have made a lot more progress in a short amount of time,” said Daniel Nutkis, CEO of HITRUST Alliance, a company that establishes risk management practices for the health industry. “We certainly would like to see more information shared from government.” 

In addition to collaborating with the DHS, private organizations also work with federal law enforcement agencies to share information to help catch cyber criminals. 

In response to questioning from Rep. Brian Fitzpatrick (R-Pa.), some of the panelists reported having good cooperation with the FBI but cited roadblocks presented by the “knee-jerk” classification of information related to ongoing investigations. 

“By classifying the event, what we are doing is restricting the number of people who can lend assistance and also allowing the adversary to operate with impunity,” Montgomery said.

“While I think the collaboration is good, when there is an instance requiring data classification, we are classifying information too quickly sometimes and not allowing that information to be propagated in the public and private sector.”

Nutkis called on the government to find a middle ground. 

“We’re trying to defend the public sector from additional loss," he said. "There has to be a happy medium here where they can provide us with enough information to defend the sector without compromising a law enforcement investigation.” 

The hearing comes as industry leaders continue to await the release of President Trump’s executive order on cybersecurity, the signing of which was abruptly canceled by the White House at the end of January.

Trump has recruited former New York City Mayor Rudy Giuliani (R) to serve as a liaison of sorts between the administration and the cybersecurity private sector.

Industry leaders telegraphed Thursday that they would like to see the new administration prioritize improving the implementation of partnerships between the DHS and private companies.

“We need to implement [the cybersecurity mission] more effectively,” said Ryan Gillis, vice president of cybersecurity strategy and global policy for Palo Alto Networks. 

“We have had a 10-year discussion in this country about roles and mission of DHS, of DOD, of the intelligence community, of law enforcement, how all of those entities can work together with the private sector and internally,” Gillis said. “Not re-litigating that and moving forward with being more effective in the operational environment under that broad policy construct would be essential.”