CIOs wary of sharing cyber threat data

CIOs are still lukewarm to the idea of sharing the cybersecurity threat information the U.S. government is requesting in its Cybersecurity Information Sharing Act. Department of Homeland Security official Andy Ozment reassures IT executives that the feds just want to ‘help you.’

Despite a new law encouraging companies to share more information about cybersecurity attacks, only 58 percent of CIOs polled say the new law would make it more likely they would cooperate with the government in the event of a data breach. The results, collected in a live audience poll at the Wall Street Journal’s CIO Network show Tuesday, suggest the U.S. government has a ways to go to fostering trust with the corporate sector.

img 1046

Andy Ozment, the Department of Homeland Security's assistant secretary of the office of cybersecurity and communications.

Companies are generally willing to share threat “indicators," such as the IP address of a phishing scam making the rounds, rather than report specific incidents, said Andy Ozment, the Department of Homeland Security's assistant secretary of the office of cybersecurity and communications, who took the poll in stride as a guest speaker. "The legislation will make that more clear."

[ Related: Boards are getting more involved in cybersecurity, but is it enough? ]

The U.S. Senate in October passed the Cybersecurity Information Sharing Act, a well-intentioned band-aid for the rash of data breaches that have buffeted the corporate sector. Ideally, companies would share with DHS more information about threats they are seeing in their networks, which would contextualize the data and share it with other companies and federal agencies. The law seeks to protect companies from private lawsuits, a major stumbling block to information sharing. Ozment said the DHS would begin sharing cybersecurity threat information with private companies later this month.

Uncle Sam wants you to trust it with your data

Ozment, who oversees a $930 million budget and workforce created to bolster the nation’s cyber and communications infrastructure defense, says companies can relay threat indicator information from their intrusion detection system to one of their servers. Companies then relay it to DHS, which has created a “giant mixing bowl of indicators,” which are stripped of information about employees. He also said cybersecurity vendors would be able to use the data to build their own products.

[ Related: 5 biggest cybersecurity concerns facing CIOs, CISOs in 2016 ]

While he allowed that companies are much more reticent to report hacks, Ozment encouraged companies to communicate incidents to law enforcement or DHS, which would grant statutory protections where the data can't be used for regulatory purposes, civil litigation or Freedom of Information Sharing Act requests. "The bill says that if you're sharing information for cybersecurity purposes, then you’re protected against this liability," Ozment says.

Companies are contemplating how to share not only information, but talent. Jim Motes, CISO of Rockwell Automation, has proposed a cooperative staffed by the best engineers from member companies, which he says would be better positioned to protect corporate networks than most managed security service providers (MSSP).

No shortage of skeptics

Although Ozment attempted to put a friendly face on the government’s information-sharing efforts, he faced a skeptical crowd of CIOs from Lockheed Martin, American International Group, Allstate and other Fortune 500 companies.

[ Related: CIOs seek cybersecurity solutions, bigger voice in C-suite ]

NuStar Energy CIO Manish Kapoor noted that his CISO was “freaking out” after the company received an addendum request for a commercial contractor to comply with National Institute of Standards and Technology (NIST) standard for protecting critical infrastructure within 90 days. He said this was a tall task because “NIST standards are really complicated.”

Ozment, whose agency provides support for the NIST standards, said that this is happening in every industry, adding that a singular standard is better than too many standards. “The benefit of the NIST cybersecurity framework is at least we can all agree on it because the worst case for everybody is a tower of Babel … competing regulations, competing contractual demands … nobody wants to live in that world and that is why we did the NIST cybersecurity framework.”

Ultimately, Ozment said: "We’re there to help you, we want to find the bad guys on your network, kick them out and get you back up on your feet again," he says. Despite those good intentions, the DHS must overcome the perception problem it has among some CIOs. As NuStar Energy’s Kapoor puts it, “Whenever I hear somebody say ‘I’m from the government and I’m here to help you’ I get nervous.”

Join the CSO newsletter!

Error: Please check your email address.

More about AllstateFreedomLockheed MartinRockwellTechnologyWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Clint Boulton

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts