

SUBSCRIBE TO OUR FREE NEWSLETTER
Daily news & progressive opinion—funded by the people, not the corporations—delivered straight to your inbox.
5
#000000
#FFFFFF
To donate by check, phone, or other method, see our More Ways to Give page.


Daily news & progressive opinion—funded by the people, not the corporations—delivered straight to your inbox.
This week the Obama administration is releasing its second Executive Order in as many years on computer ("cyber") security, which reports are saying will create a new department in the intelligence community to handle computer security threat information sharing. Officials are hailing the center as "new" and unprecedented.
It's not. We already have significant information sharing avenues, which makes the new center redundant. Companies can definitely look forward to more red tape when it comes to sharing computer security threats. And it's not just a question of seemingly unnecessary bureaucracy. We're concerned that the whole point of the new center is to be IN the intelligence community, and thus all but eliminate any transparency and accountability. And even if the center is housed in the Department of Homeland Security there is a potential for redundancy.
In a press release the Administration lauded the center, formally called the Cyber Threat Intelligence Integration Center, saying:
No single government entity is responsible for producing coordinated cyber threat assessments, ensuring that information is shared rapidly among existing cyber centers and other [government] elements, and supporting the work of operators and policymakers with timely intelligence about the latest cyber threats and threat actors
The description looks awfully familiar. It should; the Department of Homeland Security (DHS) has an entire department called the National Cybersecurity and Communications Integration Center (NCCIC) that seems to do pretty much everything the Administration thinks needs doing. NICCIC is a bridge between government, private sector, and international network defense communities. It's About page states that the "NCCIC analyzes cybersecurity and communications information, shares timely and actionable information, and coordinates response, mitigation and recovery efforts."
Digging deeper, NCCIC in turn houses US-CERT (United States Computer Emergency Readiness Team) and ICS-Cert (Industrial Control Systems Cyber Emergency Response Team). Both teams also handle computer security information sharing and threat analysis. Specifically, US-CERT "leads efforts to improve the nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks."
The descriptions speak for themselves.
Current Public Sharing...
More confusing is trying to reconcile what this new center will contribute to the current public and private information-sharing regime. In 2012 the President signed EO 13636, which created the Enhanced Cybersecurity System, or ECS. The ECS focuses on sharing computer security information from the government to critical infrastructure and other "commercial service providers." At the time, it was hailed as a critical step to improving information sharing and coordinating cyberattacks since the private sector owns about 85% of the America's critical infrastructure. Two years later, we've heard little about its implementation.
The bottom line is that ECS, US-CERT, ICS-CERT, NCCIC, and other departments appear to be tasked with doing exactly what this new "Cyber Threat Agency" will be doing. And there's more--the DHS programs complement DOD programs like the DIBNET, or Defense Industrial Base Network, where defense contractors share computer security information between themselves and with the government.
Current Private Sharing
All of this is on top of private-sector hubs known as Information Sharing and Analysis Centers (ISACs). ISACs are often sector specific and facilitate information sharing; they've been noted as working "very well" and are supplemented by public reports and private communications, like the recently launched ThreatExchange. Private sharing was further encouraged when the FTC and DOJ stated they would not prosecute companies under antitrust law for sharing computer security information. Combined, these private centers facilitate sharing and are core parts of the already current information-sharing regime.
What's New About the New Center?
Given the apparent redundancy of the new center, it's hard not to believe that its main reason for being is its location: inside the intelligence community and shrouded in near-impenetrable secrecy. Keep in mind that it's long been settled that a civilian agency should lead the country's computer security--so settled that even former NSA chief General Keith Alexander declared that civilian agencies should take the lead on government computer security.
If the government wants more information sharing then it should expand the ECS or utilize the already current information sharing regimes in US-CERT and the private sector--or explain why it can't be done in DHS. And of course, as we've often said, it's not at all clear that information sharing is where we should be putting our security dollars and attention. Many of the past years' breaches were due to low-hanging fruit like encrypting personal information, making sure passwords aren't sent in unencrypted emails, and that employees don't download malware. For instance, the New York Times reported the JP Morgan hack occurred due to an un-updated server.
Devils are in the Details
The exact details of the center will be released later this week, but as of now the new center seems redundant. If we want to improve computer security and the sharing of threat information we must encourage companies and the government to use the already existing information sharing regimes. Creating another new bureaucracy inside the intelligence community will probably hinder, not help, the computer security landscape.
Dear Common Dreams reader, It’s been nearly 30 years since I co-founded Common Dreams with my late wife, Lina Newhouser. We had the radical notion that journalism should serve the public good, not corporate profits. It was clear to us from the outset what it would take to build such a project. No paid advertisements. No corporate sponsors. No millionaire publisher telling us what to think or do. Many people said we wouldn't last a year, but we proved those doubters wrong. Together with a tremendous team of journalists and dedicated staff, we built an independent media outlet free from the constraints of profits and corporate control. Our mission has always been simple: To inform. To inspire. To ignite change for the common good. Building Common Dreams was not easy. Our survival was never guaranteed. When you take on the most powerful forces—Wall Street greed, fossil fuel industry destruction, Big Tech lobbyists, and uber-rich oligarchs who have spent billions upon billions rigging the economy and democracy in their favor—the only bulwark you have is supporters who believe in your work. But here’s the urgent message from me today. It's never been this bad out there. And it's never been this hard to keep us going. At the very moment Common Dreams is most needed, the threats we face are intensifying. We need your support now more than ever. We don't accept corporate advertising and never will. We don't have a paywall because we don't think people should be blocked from critical news based on their ability to pay. Everything we do is funded by the donations of readers like you. When everyone does the little they can afford, we are strong. But if that support retreats or dries up, so do we. Will you donate now to make sure Common Dreams not only survives but thrives? —Craig Brown, Co-founder |
This week the Obama administration is releasing its second Executive Order in as many years on computer ("cyber") security, which reports are saying will create a new department in the intelligence community to handle computer security threat information sharing. Officials are hailing the center as "new" and unprecedented.
It's not. We already have significant information sharing avenues, which makes the new center redundant. Companies can definitely look forward to more red tape when it comes to sharing computer security threats. And it's not just a question of seemingly unnecessary bureaucracy. We're concerned that the whole point of the new center is to be IN the intelligence community, and thus all but eliminate any transparency and accountability. And even if the center is housed in the Department of Homeland Security there is a potential for redundancy.
In a press release the Administration lauded the center, formally called the Cyber Threat Intelligence Integration Center, saying:
No single government entity is responsible for producing coordinated cyber threat assessments, ensuring that information is shared rapidly among existing cyber centers and other [government] elements, and supporting the work of operators and policymakers with timely intelligence about the latest cyber threats and threat actors
The description looks awfully familiar. It should; the Department of Homeland Security (DHS) has an entire department called the National Cybersecurity and Communications Integration Center (NCCIC) that seems to do pretty much everything the Administration thinks needs doing. NICCIC is a bridge between government, private sector, and international network defense communities. It's About page states that the "NCCIC analyzes cybersecurity and communications information, shares timely and actionable information, and coordinates response, mitigation and recovery efforts."
Digging deeper, NCCIC in turn houses US-CERT (United States Computer Emergency Readiness Team) and ICS-Cert (Industrial Control Systems Cyber Emergency Response Team). Both teams also handle computer security information sharing and threat analysis. Specifically, US-CERT "leads efforts to improve the nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks."
The descriptions speak for themselves.
Current Public Sharing...
More confusing is trying to reconcile what this new center will contribute to the current public and private information-sharing regime. In 2012 the President signed EO 13636, which created the Enhanced Cybersecurity System, or ECS. The ECS focuses on sharing computer security information from the government to critical infrastructure and other "commercial service providers." At the time, it was hailed as a critical step to improving information sharing and coordinating cyberattacks since the private sector owns about 85% of the America's critical infrastructure. Two years later, we've heard little about its implementation.
The bottom line is that ECS, US-CERT, ICS-CERT, NCCIC, and other departments appear to be tasked with doing exactly what this new "Cyber Threat Agency" will be doing. And there's more--the DHS programs complement DOD programs like the DIBNET, or Defense Industrial Base Network, where defense contractors share computer security information between themselves and with the government.
Current Private Sharing
All of this is on top of private-sector hubs known as Information Sharing and Analysis Centers (ISACs). ISACs are often sector specific and facilitate information sharing; they've been noted as working "very well" and are supplemented by public reports and private communications, like the recently launched ThreatExchange. Private sharing was further encouraged when the FTC and DOJ stated they would not prosecute companies under antitrust law for sharing computer security information. Combined, these private centers facilitate sharing and are core parts of the already current information-sharing regime.
What's New About the New Center?
Given the apparent redundancy of the new center, it's hard not to believe that its main reason for being is its location: inside the intelligence community and shrouded in near-impenetrable secrecy. Keep in mind that it's long been settled that a civilian agency should lead the country's computer security--so settled that even former NSA chief General Keith Alexander declared that civilian agencies should take the lead on government computer security.
If the government wants more information sharing then it should expand the ECS or utilize the already current information sharing regimes in US-CERT and the private sector--or explain why it can't be done in DHS. And of course, as we've often said, it's not at all clear that information sharing is where we should be putting our security dollars and attention. Many of the past years' breaches were due to low-hanging fruit like encrypting personal information, making sure passwords aren't sent in unencrypted emails, and that employees don't download malware. For instance, the New York Times reported the JP Morgan hack occurred due to an un-updated server.
Devils are in the Details
The exact details of the center will be released later this week, but as of now the new center seems redundant. If we want to improve computer security and the sharing of threat information we must encourage companies and the government to use the already existing information sharing regimes. Creating another new bureaucracy inside the intelligence community will probably hinder, not help, the computer security landscape.
This week the Obama administration is releasing its second Executive Order in as many years on computer ("cyber") security, which reports are saying will create a new department in the intelligence community to handle computer security threat information sharing. Officials are hailing the center as "new" and unprecedented.
It's not. We already have significant information sharing avenues, which makes the new center redundant. Companies can definitely look forward to more red tape when it comes to sharing computer security threats. And it's not just a question of seemingly unnecessary bureaucracy. We're concerned that the whole point of the new center is to be IN the intelligence community, and thus all but eliminate any transparency and accountability. And even if the center is housed in the Department of Homeland Security there is a potential for redundancy.
In a press release the Administration lauded the center, formally called the Cyber Threat Intelligence Integration Center, saying:
No single government entity is responsible for producing coordinated cyber threat assessments, ensuring that information is shared rapidly among existing cyber centers and other [government] elements, and supporting the work of operators and policymakers with timely intelligence about the latest cyber threats and threat actors
The description looks awfully familiar. It should; the Department of Homeland Security (DHS) has an entire department called the National Cybersecurity and Communications Integration Center (NCCIC) that seems to do pretty much everything the Administration thinks needs doing. NICCIC is a bridge between government, private sector, and international network defense communities. It's About page states that the "NCCIC analyzes cybersecurity and communications information, shares timely and actionable information, and coordinates response, mitigation and recovery efforts."
Digging deeper, NCCIC in turn houses US-CERT (United States Computer Emergency Readiness Team) and ICS-Cert (Industrial Control Systems Cyber Emergency Response Team). Both teams also handle computer security information sharing and threat analysis. Specifically, US-CERT "leads efforts to improve the nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks."
The descriptions speak for themselves.
Current Public Sharing...
More confusing is trying to reconcile what this new center will contribute to the current public and private information-sharing regime. In 2012 the President signed EO 13636, which created the Enhanced Cybersecurity System, or ECS. The ECS focuses on sharing computer security information from the government to critical infrastructure and other "commercial service providers." At the time, it was hailed as a critical step to improving information sharing and coordinating cyberattacks since the private sector owns about 85% of the America's critical infrastructure. Two years later, we've heard little about its implementation.
The bottom line is that ECS, US-CERT, ICS-CERT, NCCIC, and other departments appear to be tasked with doing exactly what this new "Cyber Threat Agency" will be doing. And there's more--the DHS programs complement DOD programs like the DIBNET, or Defense Industrial Base Network, where defense contractors share computer security information between themselves and with the government.
Current Private Sharing
All of this is on top of private-sector hubs known as Information Sharing and Analysis Centers (ISACs). ISACs are often sector specific and facilitate information sharing; they've been noted as working "very well" and are supplemented by public reports and private communications, like the recently launched ThreatExchange. Private sharing was further encouraged when the FTC and DOJ stated they would not prosecute companies under antitrust law for sharing computer security information. Combined, these private centers facilitate sharing and are core parts of the already current information-sharing regime.
What's New About the New Center?
Given the apparent redundancy of the new center, it's hard not to believe that its main reason for being is its location: inside the intelligence community and shrouded in near-impenetrable secrecy. Keep in mind that it's long been settled that a civilian agency should lead the country's computer security--so settled that even former NSA chief General Keith Alexander declared that civilian agencies should take the lead on government computer security.
If the government wants more information sharing then it should expand the ECS or utilize the already current information sharing regimes in US-CERT and the private sector--or explain why it can't be done in DHS. And of course, as we've often said, it's not at all clear that information sharing is where we should be putting our security dollars and attention. Many of the past years' breaches were due to low-hanging fruit like encrypting personal information, making sure passwords aren't sent in unencrypted emails, and that employees don't download malware. For instance, the New York Times reported the JP Morgan hack occurred due to an un-updated server.
Devils are in the Details
The exact details of the center will be released later this week, but as of now the new center seems redundant. If we want to improve computer security and the sharing of threat information we must encourage companies and the government to use the already existing information sharing regimes. Creating another new bureaucracy inside the intelligence community will probably hinder, not help, the computer security landscape.