The Department of Homeland Security is nearing the ability to receive notifications of cyber threats to the private sector in real time and will consolidate and route the information through a central clearing house for analysis.
Legislation currently on Capitol Hill aims to incentivize industry to share evidence of hacks, data breaches and network intrusions with DHS without liability, said Suzanne Spaulding, undersecretary of DHS’s National Protection and Programs Directorate (NPPD).
Image: U.S. Army Cyber Command
“This is a newly incentivized program focused on a specific subset of information, which are cyber-threat indicators,” she said Sept. 10 at the Center for Strategic and International Studies in Washington, D.C. “We have been very clear from the outset, that this does not mean that companies should not continue to pick up the phone and call whoever they are used to dealing with to talk about whatever suspicious activity they might be seeing on their network or report an intrusion. This is not saying that all cyber information sharing has to be centralized within the Department of Homeland Security. Information sharing that goes on today should continue.”
NPPD will route the information received from industry through the National Cybersecurity and Communications Integration Center (NCCIC), which was chosen because it has a full-time privacy officer to maintain the anonymity of companies sharing information on network intrusions and vulnerabilities with DHS. Spaulding said the decision was made by the Obama administration that sharing such information with the government was important enough to protect the identity of the affected company with regulators.
Next month the NPPD will launch an automated information sharing system “which takes us from people speed to machine speed,” Spaulding said. “That allows us do that machine to machine, sharing cyber threat indicators…It is because we have developed this capability to do this machine to machine that we can now talk about sharing information in near-real time.”
The Obama administration is encouraging more information sharing among private-sector firms and between firms and the government, she said. Legislation on Capitol Hill aimed at increasing public-private information sharing provides liability protection for companies that share cyber threat information with the government.
The system consists of the structures threat information expression (STIX), a method of machine-to-machine information sharing on cyber threat indicators, and the trusted automated exchange of indicator information (TAXII), which enables sharing of threat information between agencies and networks. Both systems have been in pilot development for about two years and are set to be implemented across government and industry beginning in October.
The NPPD also is developing and providing to government agencies tools that perform constant diagnostic scans of internal agency networks and automatically identify and in some cases correct, vulnerabilities, she said. Congress recently gave the NPPD authority to issue binding directives to agencies regarding network security. It recently issued its first one that requires an agency to correct critical vulnerabilities within 30 days of being notified of one by the NPPD.
“Where we are today is we can detect and block known signatures and known indicators,” she said. “What we are working very hard on now in conjunction with the private sector, obviously is to get to the stage where we can go beyond the things we’ve seen before by recognizing either attributes of bad behavior or developing a kind of risk score, a reputational score, that will help us to identify higher risk traffic that might be coming in.”
When cyber threats are detected, the NPPD can deploy one of its computer emergency readiness teams (CERTs) to perform triage on the intrusion and enact a plan of remediation.
“They will actually go and be on site to help understand what’s going on in a network and, most importantly, how to rebuild it more securely, how to take steps to prevent this from happening again, how to get these intruders out of the system and make sure they can’t come back in,” she said. “Our focus…is on very quickly getting information out to folks who need it,” she said. “We put out a series of alerts and action memos as soon as we identify and understand malicious activity, malware, we put it out for folks to understand and also put out mitigation practices.”