Will voluntary cyber threat sharing plan cast doubt over CISPA?

The Cyber Intelligence Sharing and Protection Act (CISPA) might be cast into doubt in the wake of a Department of Defense announcement last week that as many as 1,000 defense contractors -- and possibly thousands more -- may voluntarily join an expanded program of sharing classified information on cyber threats with the federal government.

The program, known as the Defense Industrial Base Cyber Security/Information Assurance, or DIB CS/IA, has been in a pilot phase for the past four years with only 37 contractors. The expansion, recently approved by the Obama administration, means about 8,000 contractors cleared to work with DoD intellectual property are being invited to participate.

Bloomberg BusinessWeek reports that if this expansion "proves successful in safeguarding defense contractors from cyber attacks, the administration may enlarge the program to companies in 15 other critical infrastructure categories through the Department of Homeland Security," Eric Rosenbach, deputy assistant secretary of defense for cyber policy, said.

This, if it works as expected, could prompt those arguing over CISPA, recently passed by the U.S. House, along with other similar pending legislation in Congress, to wonder how necessary it all is. Why mandate information sharing with the government if it can happen voluntarily?

[See also: CISPA enjoys wide backing from enterprises]

Jason Healey, director of the Cyber Statecraft Initiative of the Washington, D.C. think tank Atlantic Council, says while "there absolutely are similarities" between DIB and the various legislative efforts, that there are "lots of other bits" in those bills -- such as mandatory security standards. "Some legislation is necessary," he says.

Dan Philpott, an expert in federal cybersecurity and editor of FISMApedia, says DIB CS/IA is "a much lighter version" of CISPA. He says another reason the program could not replace cybersecurity law is because it is unlikely that anything close to 8,000 contractors will volunteer to enter it. He believes the DoD is being optimistic even with an estimate of 1,000. "I think they'd be happy with 500," he says.

Beyond that, there is debate over how worthwhile and effective DIB CS/IA has been and will be. There is broad agreement that the threat of cyberattacks is increasing at "a rapid and accelerating rate," in the words of Rear Admiral Samuel Cox, director of intelligence for the military's Cyber Command, at a forum last month.

And the goal of the DIB expansion is for more sharing of data between private defense contractors and the DoD's intelligence-gathering arm, the National Security Agency. Richard A. Hale, deputy chief information officer for cybersecurity, told the American Forces Press Service, "We started the program in an attempt to share cyber-threat data with these companies in a way that allowed the companies to act on that information immediately," and called it, "an important step forward in our ability to catch up with widespread cyber threats."

But Healey, speaking to Reuters last week, expressed some skepticism about whether the benefits of DIB CS/IA would be worth the cost to contractors. "The DIB pilot probably increases the defenders' work factor much more than it increases the attackers," he said. "This is a lot of work and a lot of taxpayer dollars for something that has apparently not proven it can increase security more than on the margins."

Healey says he is "very pleased to see DoD saying they could scale this to 8,000 companies." But he still thinks the department could be much more efficient in its dealings with private industry.

In an article in The Atlantic, Healey argues that the NSA should simply declassify much of its database of malware "signatures."

While he acknowledges that critics will argue that such action would, "compromise our sensitive collection sources and methods. [But] in truth, the extreme classification surrounding most of these signatures protect little but bureaucratic inertia. General Michael Hayden, a past NSA director, made this case best, saying, 'Let me be clear: This stuff is overprotected.'"

"More importantly, the Internet is an open network and any adversary that uses novel malicious software knows it will eventually be discovered," he said.

Philpott adds that in the information security community, "signature-based security is becoming kind of looked down on. It's inherently weak because only identifies things that have already happened."

Healey writes in The Atlantic that NSA's signature database, while "considered among the crown jewels of the U.S. government's defense capabilities ... may not be as awe-inspiring as advertised." He adds: "And independent review found only marginal benefit" to contractors like Northrop Grumman or Lockheed Martin.

"Only 1% of the attacks were detected using NSA threat data that the companies did not already have themselves," Healey says.

He argues that a more effective system would be an "independent clearinghouse for signatures. NSA might anonymously add its signatures ... and further wash their source by mixing them with signatures from security companies and even with other nations' intelligence agencies."

"This option would create the world's best-ever signature database ... and any organization that contributes their signature collection would then able to use the full database," Healey says.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

More about 1EBloombergetworkLockheed MartinNational Security AgencyNorthrop GrummanNSAReuters AustraliaTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts