White House takes small step toward sharing cyberattack data

The White House has issued a framework for government departments and agencies to follow in sharing information, including data that would help bolster defenses against state-sponsored hackers and other criminals.

The National Strategy for Information Sharing and Safeguarding is seen as a small step, albeit an important one, as lawmakers struggle with much broader regulations governing data sharing between government and private industry.

Congress failed this year in passing legislation that would have required utilities and others responsible for the nation’s critical infrastructure, such as the power grid and water filtration systems, to share information with federal officials.

While lawmakers are expected to revisit the issue next year, the guidelines released Wednesday will begin the process of government entities setting up data-sharing mechanisms. While the document doesn’t specifically address cyber-attack data, it would be included in the government’s efforts.

“This is a good first step,” said Murray Jennex, a cybersecurity expert and associate professor at San Diego State University. “Other agencies will open up to the NSA and the FBI and such, sharing what has happened to them, where before maybe they wouldn’t.

“And it does free up the FBI to pass on information to other agencies,” he said.

Where data sharing within the government would likely fall short is with the Department of Defense and the National Security Agency (NSA). Those departments can list information as classified, making it shareable only with authorized people. Therefore, a much more detailed order would be needed to set guidelines on declassifying cyberattack data.

“Even though it says that government agencies should share, you’re still not going to get, say, the Department of Defense sharing information about a cyberwar attack on them, even though the president says they should,” Jennex says. “I don’t think that will happen.”

As an initial step, the White House report establishes in general terms the importance of data sharing. “Our national security depends on our ability to share the right information, with the right people, at the right time,” the report says. “This information sharing mandate requires sustained and responsible collaboration between federal, state, local, tribal, territorial, private sector, and foreign partners.”

The Obama administration views information as a “national asset” important for the security of the nation’s infrastructure, as well as protecting classified information and intellectual property.

With a few exceptions, not much data sharing goes on between companies or with government. That’s because companies fear they will be at a competitive disadvantage if the wrong data is shared. In addition, they are afraid of running afoul of legal requirements.

[See related: Volunteering falls short on threat information sharing]

To be effective, any data-sharing requirements from the government would have to include immunity from lawsuits for the information transferred, Jennex said.

“That’s really what hangs up people from sharing stuff about breaches,” he said. “Because it does open them up to lawsuits, and without that relief, we won’t get sharing.”

Another issue is in protecting the source of the data shared. A mechanism would have to be in place to make sure the shared data could not be traced to the originator. Anonymity would enable companies to share more information on cyberattacks and the defensive measures that failed in preventing a system breach.

The Obama administration is expected in the near future to address the issue of data sharing with the private sector with an executive order. Because the president cannot require companies to share data, the order is seen as a stopgap measure while Congress hammers out much broader legislation.

The latest guidelines establish five goals. The first is to adopt common processes when possible. Secondly, government entities should develop policies for making information available only to approved individuals.

“Secure discovery and access relies on identity, authentication, and authorization controls, data tagging, enterprise-wide data correlation, common information sharing standards, and a rigorous process to certify and validate their use,” the guidelines say.

Other goals include developing network interoperability and shared services and data; and building security “through structural reform, policy and technical solutions.” Finally, safeguards need to be in place to prevent violations of privacy and civil rights.

While companies and government struggle over many issues related to data sharing, cybercriminals have established highly effective underground forums and chat rooms for sharing information, experts say. This has left their targets, companies and government agencies, at a disadvantage.