{"id":1635,"date":"2018-05-18T16:25:31","date_gmt":"2018-05-18T16:25:31","guid":{"rendered":"http:\/\/www.blackopspartners.com\/?p=1635"},"modified":"2018-05-18T16:25:31","modified_gmt":"2018-05-18T16:25:31","slug":"sharing-classified-cyber-threat-information-with-the-private-sector","status":"publish","type":"post","link":"https:\/\/blackopspartners.com\/sharing-classified-cyber-threat-information-with-the-private-sector\/","title":{"rendered":"Sharing Classified Cyber Threat Information With the Private Sector"},"content":{"rendered":"

Critical infrastructure companies cannot protect themselves from adversarial nation-states without federal assistance. The U.S. government\u00a0should create a classified network to share information on cyber threats with private companies critical to the economy.<\/em><\/p>\n

 <\/p>\n

Introduction<\/h2>\n

The U.S. government and private industry have been stuck at an impasse concerning cybersecurity information sharing for over a decade. While the Barack Obama administration rolled out executive and legislative efforts to increase information sharing, many U.S. companies still argue that the federal government should do more to provide them with useful intelligence on cyber threats. But the U.S. intelligence community argues that greater declassification and sharing of information with private companies could put technical sources and methods at risk.<\/p>\n

Fixes to this problem exist. The Department of Defense already provides a classified network for cleared defense contractors to receive intelligence on threats to their companies. Replicating this network for cyber threats has long been discussed as a way to share more information with the financial sector, electricity suppliers, and other private-sector entities critical to the U.S. economy<\/p>\n

\n

\n<\/section>\n

Expanding this network requires increasing the number of cleared personnel and of facilities that can hold classified information, as well as changing intelligence collection priorities. These hurdles can be addressed by cooperative efforts between the public and private sectors. As a crucial first step, the U.S. government should begin the targeted collection of intelligence on cyber threats to critical infrastructure. To disseminate this information, the government should establish security standards different from those applicable to defense contractors to determine who may hold clearances.<\/p>\n

 <\/p>\n

A System Built for a Bygone Era<\/b><\/h2>\n

Information sharing has long been viewed as crucial to cybersecurity and as an area in which the government can play a significant role. If indicators of malicious activity are shared whenever and wherever they are detected, attackers will no longer be able to reuse the same methods against different targets.<\/p>\n

The Obama administration and Congress worked together to eliminate perceived barriers to information sharing among private companies, for example through Department of Justice and Federal Trade Commission policies that addressed concerns that sharing information among competitors could violate antitrust law. Obama used executive orders to promote the creation of organizations<\/a> tasked with centralizing private-sector information-sharing efforts and establishing channels with the federal government. Finally, the Cybersecurity Act of 2015 provided liability protections for sharing cybersecurity information among private companies.<\/p>\n

\n
\n
\n
<\/div>\n<\/div>\n<\/div>\n<\/div>\n

Far less successful were efforts to share government information with the private sector. The federal government has the authority and capability to collect intelligence that no private company possesses. The National Security Agency (NSA) intercepts foreign communications and breaks into the computers of foreign adversaries to understand their intentions, identify the infrastructure they use, and analyze their attack tools. The FBI and U.S. Secret Service have similar authorities and capabilities domestically. Yet disseminating collected information outside the intelligence community remains time-consuming and difficult. Information either needs to be declassified to be shared or can only be shared in in-person briefings with the small number of individuals at private companies who have clearances. When such information is shared, the private sector often views it as irrelevant because the actors targeting private critical infrastructure firms may not be the same as those targeting government agencies or the military.<\/p>\n

The federal government\u2019s Enhanced Cybersecurity Services (ECS) program intended to address the declassification issue by providing classified information to private security service companies that would then block malicious traffic on behalf of their clients without publicly exposing the classified threat information. This program was established in 2012, but adoption has been slow, owing in part to its black box nature: companies enrolled in ECS have no way of knowing what the provider blocked or why it blocked it. The Automated Indicator Sharing program, meant to provide unclassified reciprocal sharing of indicators of malicious activity, also has seen low adoption, with only approximately 130 companies using it. This is likely because the government does not have a competitive advantage in disseminating unclassified indicators, which can be obtained from intelligence collection, gathered from open source, or purchased from third parties.<\/p>\n

For the government to provide greater value, it should prioritize collecting intelligence on threats to private companies, particularly critical infrastructure operators, and amend its processes for disseminating that intelligence. The U.S. approach to intelligence collection traces back to the post\u2013World War II era, when only government officials had access to intelligence, most of which was focused on foreign adversaries, namely the Soviet Union. The approach changed to include nonstate terrorist actors after 9\/11, but it has not stayed up-to-date with the threat of cyberattacks on the private sector. To make cyber threat information sharing relevant to critical infrastructure operators, the private sector should play a role in setting U.S. intelligence requirements and priorities.<\/p>\n

 <\/p>\n

Challenges<\/b><\/h2>\n

The Department of Defense runs DIBNET-S<\/a>, a classified network for defense contractors to receive intelligence on threats to their companies. Creating a similar program for other critical infrastructure sectors, run by the Department of Homeland Security (DHS), faces a number of challenges.<\/p>\n

The network would require a massive expansion of the number of people with access to classified information. Already, some five million Americans have security clearances, and an enlargement of access could potentially lead to the release of classified information, similar to what happened in the cases of Chelsea Manning and Edward Snowden. However, those and other incidents led the U.S. government to tighten access to classified information, moving from a \u201cneed to share\u201d standard to a \u201cneed to know\u201d standard, which requires both the appropriate level of security clearance and a valid reason for accessing classified information. A network to protect critical infrastructure will need to fall within these guidelines, transmitting only intelligence relevant to defending against cyberattacks to those with a need to know and implementing best practices for insider threats.<\/p>\n

<\/div>\n

The effort will also require the U.S. government to set security clearance requirements that companies outside the defense industry will be able to meet. These requirements need to address the persistent issue of foreign ownership and control. Many critical infrastructure companies are owned by foreign investors, a red flag for granting clearances under the current rules. Similarly, many CEOs of U.S. companies, even those who are U.S. citizens, are unwilling to submit to the background check process.<\/p>\n

Further, clearing more individuals will exacerbate the existing security clearance backlog. DHS needs to pay the Office of Personnel Management for each clearance it grants to private-sector individuals. Clearing hundreds more personnel in financial institutions, electricity providers, and other critical infrastructure organizations would strain the DHS budget unless additional resources are provided.<\/p>\n

Having the government spy in support of private companies, even to protect critical infrastructure operators, could set a dangerous precedent. The United States has promoted a norm that state-sanctioned espionage should not aid the commercial interests of private companies, most recently in a 2015 agreement<\/a> with China. The U.S. government will need to find a way to differentiate between using state assets to collect trade secrets and intellectual property for competitive gain and using the same assets to spy on foreign governments or criminal groups to protect critical infrastructure operators against cyber threats.<\/p>\n

Many in the intelligence community will contend that they are neither authorized nor resourced for this mission; instead their mandate is to inform national security decision-makers, not to provide intelligence and warnings to critical infrastructure operators in the private sector. Yet long-standing policy suggests otherwise. U.S. intelligence collection priorities are governed by Executive Order 12333<\/a>, which gives the president the responsibility to set intelligence priorities, collect information about foreign threats, and conduct activities to mitigate them. The order also states that national intelligence efforts should consider the requirements of \u201cprivate-sector entities,\u201d as appropriate. It is also worth noting that the U.S. intelligence community has had a long-standing collection requirement to target criminal groups involved in the drug trade; thus, collecting on criminal threats to critical infrastructure beyond nation-states has precedent.<\/p>\n

\n
\n