White House takes small step toward sharing cyberattack data

The White House has issued a framework for government departments and agencies to follow in sharing information, including data that would help bolster defenses against state-sponsored hackers and other criminals.

The National Strategy for Information Sharing and Safeguarding is seen as a small step, albeit an important one, as lawmakers struggle with much broader regulations governing data sharing between government and private industry.

Congress failed this year in passing legislation that would have required utilities and others responsible for the nation's critical infrastructure, such as the power grid and water filtration systems, to share information with federal officials.

While lawmakers are expected to revisit the issue next year, the guidelines released Wednesday will begin the process of government entities setting up data-sharing mechanisms. While the document doesn't specifically address cyber-attack data, it would be included in the government's efforts.

"This is a good first step," said Murray Jennex, a cybersecurity expert and associate professor at San Diego State University. "Other agencies will open up to the NSA and the FBI and such, sharing what has happened to them, where before maybe they wouldn't.

"And it does free up the FBI to pass on information to other agencies," he said.

Where data sharing within the government would likely fall short is with the Department of Defense and the National Security Agency (NSA). Those departments can list information as classified, making it shareable only with authorized people. Therefore, a much more detailed order would be needed to set guidelines on declassifying cyberattack data.

"Even though it says that government agencies should share, you're still not going to get, say, the Department of Defense sharing information about a cyberwar attack on them, even though the president says they should," Jennex says. "I don't think that will happen."

As an initial step, the White House report establishes in general terms the importance of data sharing. "Our national security depends on our ability to share the right information, with the right people, at the right time," the report says. "This information sharing mandate requires sustained and responsible collaboration between federal, state, local, tribal, territorial, private sector, and foreign partners."

The Obama administration views information as a "national asset" important for the security of the nation's infrastructure, as well as protecting classified information and intellectual property.

With a few exceptions, not much data sharing goes on between companies or with government. That's because companies fear they will be at a competitive disadvantage if the wrong data is shared. In addition, they are afraid of running afoul of legal requirements.

[See related: Volunteering falls short on threat information sharing]

To be effective, any data-sharing requirements from the government would have to include immunity from lawsuits for the information transferred, Jennex said.

"That's really what hangs up people from sharing stuff about breaches," he said. "Because it does open them up to lawsuits, and without that relief, we won't get sharing."

Another issue is in protecting the source of the data shared. A mechanism would have to be in place to make sure the shared data could not be traced to the originator. Anonymity would enable companies to share more information on cyberattacks and the defensive measures that failed in preventing a system breach.

The Obama administration is expected in the near future to address the issue of data sharing with the private sector with an executive order. Because the president cannot require companies to share data, the order is seen as a stopgap measure while Congress hammers out much broader legislation.

The latest guidelines establish five goals. The first is to adopt common processes when possible. Secondly, government entities should develop policies for making information available only to approved individuals.

"Secure discovery and access relies on identity, authentication, and authorization controls, data tagging, enterprise-wide data correlation, common information sharing standards, and a rigorous process to certify and validate their use," the guidelines say.

Other goals include developing network interoperability and shared services and data; and building security "through structural reform, policy and technical solutions." Finally, safeguards need to be in place to prevent violations of privacy and civil rights.

While companies and government struggle over many issues related to data sharing, cybercriminals have established highly effective underground forums and chat rooms for sharing information, experts say. This has left their targets, companies and government agencies, at a disadvantage.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags San Diego State UniversityapplicationsNational Strategy for Information Sharing and SafeguardingData Protection | Malwarelegal2012 Cyber Security Actsoftwaredata protectioncybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts