6 Aspects of Cyberthreat Info Sharing ProgramPiggybacking on Defense Industrial Base Initiative
As a House panel advanced legislation to encourage cyberthreat information sharing between the federal government and critical infrastructure owners [see CISPA Clears House Intelligence Panel], the Government Accountability Office issued a report that, in part, analyzes an existing initiative to share threat information in Department of Defense communications networks.
GAO says the Defense Industrial Base program could serve as a model for other cyberthreat information sharing initiatives between the government and industry. The Defense Industrial Base, known as DIB, is a worldwide industrial complex that enables research and development as well as design, product, delivery and maintenance of military weapons systems, subsystems and components to meet U.S. military needs. More than 100,000 businesses participate in DIB.
In the report issued April 10, Communications Networks: Outcome-Based Measures Would Assist DHS in Assessing Effectiveness of Cybersecurity Efforts, GAO analyzes a DIB cyber-pilot that guides a voluntary information-sharing program with Internet service providers.
The program consists of six attributes that could be adapted by the federal government to share classified and nonclassified information with other critical infrastructure operators. They include:
- Agreements: Eligible defense industrial base companies that wanted to participate in these pilots enter into an agreement with the federal government.
- Government sharing of unclassified and classified cyberthreat information: The Defense Department provides participating defense industrial base companies with unclassified and classified threat information, and in return the companies acknowledge receipt of threat information products. For any intrusions reported to DoD by the participating companies, the department can develop damage assessment products, such as reports on specific incidents or trends, and provide them to participating companies and DoD leadership.
- Feedback mechanism on government services: When a participating company receives cyberthreat information from DoD, it has the option of providing feedback to the department on, among other things, the quality of the products.
- Government cyber-analysis, mitigation and digital forensic support: A participating company can optionally report intrusion events. When this occurs, DoD can conduct forensic cyber-analysis and provide mitigation and digital forensic support. The department also can provide on-site support to the company that reported the intrusion.
- Government reporting of voluntarily reported incidents: DoD can report the information to other federal stakeholders, law enforcement agencies, counterintelligence agencies and the DoD program office that might have been affected.
- ISPs deploying countermeasures based on classified threat indicators for organizations: Each participating company in the cybersecurity/information assurance program could voluntarily allow its ISPs to deploy countermeasures on its behalf, provided the ISP has been approved to receive classified network security indicators from the federal government. For those providers, the United States Computer Emergency Response Team collects classified threat indicators from multiple sources and provides them to the companies' participating ISPs. If the ISP identifies a cyber-intrusion, it would alert the company that was the target of the intrusion. Providers also could voluntarily notify U.S.-CERT about the incident, and U.S.-CERT would share the information with the Defense Department.
Besides CISPA, which heads for a House vote, President Obama in February issued an executive order that calls for the sharing of cyberthreat information between the government and industry [see Obama Issues Cybersecurity Executive Order ].