This week the Obama administration is releasing its second Executive Order in as many years on computer ("cyber") security, which reports are saying will create a new department in the intelligence community to handle computer security threat information sharing. Officials are hailing the center as "new" and unprecedented.
It’s not. We already have significant information sharing avenues, which makes the new center redundant. Companies can definitely look forward to more red tape when it comes to sharing computer security threats. And it’s not just a question of seemingly unnecessary bureaucracy. We’re concerned that the whole point of the new center is to be IN the intelligence community, and thus all but eliminate any transparency and accountability. And even if the center is housed in the Department of Homeland Security there is a potential for redundancy.
In a press release the Administration lauded the center, formally called the Cyber Threat Intelligence Integration Center, saying:
No single government entity is responsible for producing coordinated cyber threat assessments, ensuring that information is shared rapidly among existing cyber centers and other [government] elements, and supporting the work of operators and policymakers with timely intelligence about the latest cyber threats and threat actors
The description looks awfully familiar. It should; the Department of Homeland Security (DHS) has an entire department called the National Cybersecurity and Communications Integration Center (NCCIC) that seems to do pretty much everything the Administration thinks needs doing. NICCIC is a bridge between government, private sector, and international network defense communities. It's About page states that the "NCCIC analyzes cybersecurity and communications information, shares timely and actionable information, and coordinates response, mitigation and recovery efforts."
Digging deeper, NCCIC in turn houses US-CERT (United States Computer Emergency Readiness Team) and ICS-Cert (Industrial Control Systems Cyber Emergency Response Team). Both teams also handle computer security information sharing and threat analysis. Specifically, US-CERT "leads efforts to improve the nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks."
The descriptions speak for themselves.
Current Public Sharing...
More confusing is trying to reconcile what this new center will contribute to the current public and private information-sharing regime. In 2012 the President signed EO 13636, which created the Enhanced Cybersecurity System, or ECS. The ECS focuses on sharing computer security information from the government to critical infrastructure and other "commercial service providers." At the time, it was hailed as a critical step to improving information sharing and coordinating cyberattacks since the private sector owns about 85% of the America's critical infrastructure. Two years later, we've heard little about its implementation.
The bottom line is that ECS, US-CERT, ICS-CERT, NCCIC, and other departments appear to be tasked with doing exactly what this new "Cyber Threat Agency" will be doing. And there’s more—the DHS programs complement DOD programs like the DIBNET, or Defense Industrial Base Network, where defense contractors share computer security information between themselves and with the government.
Current Private Sharing
All of this is on top of private-sector hubs known as Information Sharing and Analysis Centers (ISACs). ISACs are often sector specific and facilitate information sharing; they’ve been noted as working "very well" and are supplemented by public reports and private communications, like the recently launched ThreatExchange. Private sharing was further encouraged when the FTC and DOJ stated they would not prosecute companies under antitrust law for sharing computer security information. Combined, these private centers facilitate sharing and are core parts of the already current information-sharing regime.
What's New About the New Center?
Given the apparent redundancy of the new center, it’s hard not to believe that its main reason for being is its location: inside the intelligence community and shrouded in near-impenetrable secrecy. Keep in mind that it's long been settled that a civilian agency should lead the country's computer security—so settled that even former NSA chief General Keith Alexander declared that civilian agencies should take the lead on government computer security.
If the government wants more information sharing then it should expand the ECS or utilize the already current information sharing regimes in US-CERT and the private sector—or explain why it can’t be done in DHS. And of course, as we’ve often said, it’s not at all clear that information sharing is where we should be putting our security dollars and attention. Many of the past years' breaches were due to low-hanging fruit like encrypting personal information, making sure passwords aren't sent in unencrypted emails, and that employees don't download malware. For instance, the New York Times reported the JP Morgan hack occurred due to an un-updated server.
Devils are in the Details
The exact details of the center will be released later this week, but as of now the new center seems redundant. If we want to improve computer security and the sharing of threat information we must encourage companies and the government to use the already existing information sharing regimes. Creating another new bureaucracy inside the intelligence community will probably hinder, not help, the computer security landscape.