Feds to private businesses: Cough up your cyber intelligence

Corporations will be asked to contribute cyber intelligence to a new federal agency tasked with analyzing threat data culled from as many public and private sources as possible in order to more quickly spot attacks and attribute them to the guilty parties.

Corporations will be asked to contribute cyber intelligence to a new federal agency tasked with analyzing threat data culled from as many public and private sources as possible in order to more quickly spot attacks and attribute them to the guilty parties.

President Obama has announced formation of a new agency - the Cyber Threat Intelligence Integration Center (CTIIC) that will gather data broadly and scrutinize it so the U.S. has a single analysis of cyber incursions, a lack that complicated and delayed the administration's response to the Sony hack.

The 50-person, $35 million agency will cull data from federal sources the CIA, FBI and NSA but will also rely on data that corporate security pros gather in their day-to-day work protecting private networks.

While the administration can set up the CTIIC without authorization from Congress, requiring private industry to contribute requires new laws that have already been proposed.

But the cost of sharing this information is one factor businesses will worry about. "No business will spend money to give CTIIC data from a sense of national pride. There will either need to be a motivating carrot or a regulatory stick," says Jonathan Sander, the strategy and research officer for STEALTHbits. He says security pros all agree sharing this data results in quicker and better responses to attacks, "But the security community doesn't write the budgets."

Another concern is that it will be hard to staff the CTIIC, given that the needed talent is limited and "those with the requisite skills can make much more in the private sector," says Ken Westin, a senior security analyst forTripwire.

Private organizations already have back-channels for sharing this type of data, says Stephen Coty, chief security evangelist for Alert Logic, usually made up of the major players in given industries, such as finance. Just as preserving confidentiality is important to these ad hoc groups, it will be of concern to businesses sharing with the government, he says. For example it's OK to say "Here's the details on a phishing campaign levied against a U.S. bank," but not OK to mention the bank's name, particular IP addresses attacked and the like.

Obama has proposed information-sharing laws that would protect private entities from legal and regulatory action for turning over cyberthreat indicators to the federal government. A group including representatives of the departments of Justice, Homeland Security, Defense, Commerce would set up policies for retaining and destroying this threat information depending on whether it meets the criteria set down in the law. The group would also set guidelines for anonymizing data included in these threat indicators.

Specific types of data should be exempted, according to Richard Bejtlich, a senior fellow at the Brookings Center for 21st Century Security and Intelligence. Any cyberthreat indicators, which is what Obama wants businesses to share, should not include personally identifiable information (PII) about individuals or that hint at PII, and should also exclude data stolen from U.S. citizens, he says in a Brookings opinion piece.

Private industry is the target of attacks that seek to steal information that is damaging either to national security attacks against defense contractors, for example - or to the economic viability of large corporations attacks designed to steal intellectual property from corporations with competitors in other countries. As such, businesses collectively hold vast and valuable intelligence about who is attacking whom and how they are doing it.

The argument the Obama administration makes is that blending this private intelligence with threat data gathered by U.S. spy and law-enforcement agencies can create a more complete picture of cyber espionage and cyber warfare.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecuritysecuritynsasonyintelfbiCyber Threat Intelligence Integration Center

More about CotyFBINSASonyThreat Intelligence

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Cooney

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place