Even the Department of Defense is working hard to keep pace with the changing landscape of cybersecurity threats. The key, by most estimates, is information sharing. But whether the DOD and other agencies are ready for the level of sharing required is another matter.At the Defensive Cyber Operations Symposium held this past June, Justin Ball, technical director for the Department of Defense Information Network's Operations and Defensive Planning Division, spoke about some of the challenges faced by the agency in the face of new and increased security threats.The Department of Defense Information Network (DoDIN) is a globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating and managing information on-demand to warfighters, policy makers and support personnel.Ball acknowledged that considerable attention has been given recently to the standing up of cyber mission teams in the DOD, and the importance of cyber workforces throughout all levels of government. For these teams and workforces to succeed, however, he noted that threat information must be shared broadly and systematically.Cybersecurity is defensive and offensiveA successful cybersecurity program must not only be defensive but offensive, Ball explained. It\u2019s important to know against whom you should initiate proactive countermeasures, rather than just reacting to the latest advanced threat.And advanced threats themselves are on the increase, with network compromises more insidious and harder to detect than ever before. One of the lessons driven home after the colossal security breach of the Office of Personnel Management in 2015 was how long it can actually take for a threat to be detected. The average lag time is a shocking 205 days, and even 250 days is not unheard of.Because of the interconnectedness of communications, new mobile vulnerabilities and new malware variants are being continually introduced. It\u2019s becoming nearly impossible for any agency to keep up all by itself.Ball used DoDIN as an example. While DoDIN\u2019s priority is operations, it is also tasked with \u201cfreedom of action\u201d in cyberspace while denying that same freedom to adversaries. System operators must conduct full spectrum cyberspace operations (computer network defense,\u00a0computer network attack and\u00a0computer network exploitation.) Cyberspace operations are informed by intel and threat indicators from traditional and advanced sensors, sharing vulnerability information from both DOD and non-DOD sources.How can you achieve this goal of cyber freedom of action, Ball asked, without knowing the threats that are out there?Current information sharing effortsDOD is using a variety of systems to gather threat information, Ball said. These include Host Based Security Systems, web content filters, an enterprise email security gateway and the Joint Regional Security Stack for the military\u2019s Joint Information Environment. Another tool is SharkSeer, a National Security Agency project that aims to detect and mitigate web-based Zero-Day malware and Advanced Persistent Threats using commercial-off-the-shelf technology.DOD is also using privately sourced threat intel, such as McAfee Global Threat Intelligence; the Red Seal Threat Resource Library; and the Tenable Nessus Scanner and Passive Vulnerability Scanner.While commercial sources of threat identification are important for DOD, so too is threat information shared by America\u2019s partners in the so-called Five Eyes intelligence alliance that includes Australia, Canada, New Zealand and the United Kingdom. Ball noted, however, that the agency is behind the curve on information sharing, and is challenged as to how to ingest reporting information.Automated event and incident management tools are where threat feeds really come into play, Ball noted. Analytics is required to process that much information, so automation needs to be a bigger part of any information-sharing regime.Within the DOD, information security and continuous monitoring efforts such as risk scoring help identify \u201cdefense in depth\u201d gaps. Defense in depth is the principle of having multiple layers of security mechanisms to increase the security of the system. If attacks cause one mechanism to fail, other layers are in place to protect the system.Currently missing from the risk scoring, however, is what Ball called \u201cmission dependence\u201d \u2013 namely, what commanders need for mission completion.Trust as an impediment to sharingTo get real solutions to today\u2019s cybersecurity problems, the biggest challenge is trust. Ball noted that it\u2019s essential to establish trust with intelligence community partners to get to true interoperability and automation and to accurately evaluate the quality of information received.Some areas of DOD are building out their own knowledge base of threat intel. Elsewhere, information-sharing strategies are being built at the state level.Unfortunately, analysts don\u2019t necessarily trust the information they receive because it\u2019s stripped from info to the point of becoming meaningless. It\u2019s challenging for analysts to draw actionable conclusions when the context is removed, Ball pointed out.The solutions are far from clear. Ball underscored the need to expand trust with commercial entities. With a concentrated effort at relationship building, a two-way flow of information may be possible.Another workaround may be in the packaging; Ball suggested that the name \u201cthreat information\u201d rather than \u201cthreat Intel\u201d may make it more palatable to be shared among community stakeholders.One thing is certain: Unless all agencies find a way to exchange threat information, there will always be some holes in security defenses. Those holes will be the way in for determined bad actors.