Info-sharing between the feds and private sector needs work, says NSS

Sharing of critical security information between the federal government and the private sector is an important part of protecting the nation's infrastructure and intellectual property from online attackers and thieves, but that knowledge flow isn't always smooth, NSS Labs said this week.

"It has been 10 years since the first national consensus emerged in the United States that more needed to be done to protect the national computer and communications infrastructure," NSS noted in a report.

"Yet," it continued, "we are still struggling to find and enable the right level of public/private cooperation and responsibility assignment to protect the nation's critical infrastructure, much of which is owned and operated by the private sector."

While acknowledging progress on information sharing in the financial services and defense industries, the report said much still needs to be done to enable near real-time situational awareness across the nation's critical infrastructure and to fully leverage U.S. government cyber intelligence capabilities for better protection.

[See also: Congress needed to put teeth in Obama's cybersecurity order]

The report found:

  • Public and private sector actors often approach cybersecurity from different perspectives: government typically thinks in terms of worst-case scenarios, while the private sector thinks in terms of most likely outcomes.

  • Private-sector participants require information that is specific, timely and actionable. Data provided by government sources can be generic, stale, heavily redacted or potentially classified.
  • Liability concerns continue to retard broader public/private information sharing.

  • Machine-to-machine cybersecurity information sharing is currently supported in only limited cases.

Although sharing implies transactions between equals, that's not the case with cybersecurity information, largely because public and private organizations have different wants and needs, and the government has the upper hand in getting what it wants.

"The whole goal of the private sector is to protect their intellectual property and the brand of their company," an author of the report, NSS Research Vice President Ken Baylor, said in an interview. "That's all they want to do.

"What the government wants to do is standardize how the private sector responds to cyber threats and make sure they respond well," he continued, "and that it's also a source of intelligence and information for them.

"What the private sector is absolutely terrified of is that the government will come in with a bunch of overreaching regulations that require them to do a bunch of things that aren't relevant to them, burdensome and of no value," he added.

A better understanding by government and industry of the relationship between security and compliance is important, added Phyllis Schneck, vice president and chief technology officer for the global public sector at McAfee. "A lot of dialog and collaboration is needed on how do we foster creative innovation to get the best security and not just compliance," she said in an interview.

"If you follow a series of regulations, you'll check off a series of boxes, and you'll get great compliance, but you won't necessarily be secure," she added. "Regulations move too slowly to protect against how quickly our adversaries are attacking us."

Public-private sharing is also imbalanced because not only does the government have the power to compel information from the private sector, but it also maintains a hoard of classified information that it can't or won't share. "It's a meeting of non-equals," Baylor said.

Public and private perspectives on cyber threats can also produce snags in sharing. "The public sector sees everything as a threat," Shane Shook, chief knowledge officer and global vice president of consulting at Cylance, said in an interview. "Whereas, the private sector differentiates between threats that affect their business and risks they're constantly being bombarded with, whether it be DDoS attacks, malware, script kiddies or hacktivists.

"The private sector takes the time to differentiate between threats and risks, while the public sector doesn't do that," he said. "It has a different kind of risk tolerance. It can't afford to ignore any kind of risk."

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags NSS Labsinformation sharingapplicationssecurityphysical securitycritical infrastructuresoftwaredata protection

More about McAfee Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place