everything possible

Only 6 Non-Federal Groups Are Sharing Cyber Threat Data with DHS

A 2016 law intended to bolster collective cyber defense isn’t attracting private-sector participants.

More than two years after Congress passed a landmark bill incentivizing companies to share with the government how and when malicious hackers are trying to penetrate their computer networks, only six companies and other non-federal entities are sharing that data, according to figures provided to Nextgov.

That’s compared with about 190 such entities and about 60 federal departments and agencies that are receiving cyber threat data from Homeland Security’s automated indicator sharing program, a Homeland Security official told Nextgov.

That low figure for private-sector participation is an additional blow to the program, which has struggled to provide companies and government agencies with the sort of actionable cyber intelligence that was promised by the Cybersecurity Act of 2015.

“CISA clearly hasn’t lived up to the full potential that I and many of my colleagues had hoped and wanted it to,” said Rep. Jim Langevin, D-R.I., co-founder of the Congressional Cybersecurity Caucus and a strong supporter of the bill when it passed.

CISA stands for the Cybersecurity Information Sharing Act, a major component of the Cybersecurity Act of 2015, which is often used as shorthand for the full bill.

Langevin had hoped that CISA would inspire several thousand companies or more to share threat information by this time, he said. He’d hoped that far more would be receiving the data—at least all of the Fortune 5,000.  

But, more than two years later, only six non-federal organizations have followed through on sharing their own data.

If more companies don’t begin sharing cyber threat information, he said, the government should consider mandating cyber information sharing, through regulation or legislation—a shift that’s unlikely to be popular with the regulation-averse Trump administration.

“We need to get realistic about the fact that public-private partnerships haven’t yet borne the kind of fruit that we want,” Langevin said. “Public-private partnerships are preferable but, at some point, good intentions will only get us so far.”

Sen. Ron Wyden, D-Ore., who opposed CISA over privacy concerns, also urged turning to mandates rather than voluntary partnerships with business.  

“The immunity this misguided law gave to America’s most powerful corporations appears to be far less useful for cybersecurity than its congressional proponents claimed,” Wyden said. “Instead of weakening privacy protections for Americans’ personal information, it would have been more productive for Congress to mandate strong encryption and other common sense cybersecurity best practices.”

Rep. Dutch Ruppersberger, D-Md., a co-sponsor of CISA, is trying to schedule a briefing with the House Appropriations Committee to discuss how Homeland Security can boost private-sector participation in the program, a spokeswoman told Nextgov.

“Obviously, we think six non-federal entities is unacceptable, and we know the department isn’t happy with that number, either,” the spokeswoman said.

During the briefing, Ruppersberger wants Homeland Security officials to “outline their game plan on how to bring this number up and provide better context regarding these six companies,” the spokeswoman said.

Ultimately, she said, “we need the private sector to step up and contribute more, but we have to make it easier, quicker and more fulfilling for them, too.”

The low figure for active participation in Homeland Security’s indicator sharing program comes after an earlier inspector general report dinged the department for flooding recipients with information but not giving them enough context to figure out what was important.

In one case, a federal agency received 11,447 cyber threat indicators from Homeland Security in 2016 and only two or three of them were actually useful, the inspector general said.

Rep. Bennie Thompson, D-Miss., ranking member on the Homeland Security Committee, urged Homeland Security to “improve the timeliness and quality” of the information it shares to bolster private-sector participation. He also said the private sector “needs to step up” and warned that “information sharing is not a one-way street.” 

Information Sharing for Collective Defense

CISA, which failed to pass in two successive Congresses before finally becoming law in 2015, promised liability protections to companies if they shared cyber threat indicators with the government and with each other.

The law didn’t protect companies from being sued if they were breached by hackers, but it barred customers from suing the company merely for sharing their information with the government.

The idea was that the government would organize and prioritize all that threat information from companies, combine it with the government’s own store of threat data, collected by intelligence services and Homeland Security, and share the result back out with anyone who was interested, bolstering the nation’s collective cyber defense.

The information would all come at machine speed using special protocols too, so there would be no fiddling with phone calls and emails.

After years of haggling between security researchers, companies and privacy advocates, it was considered the most significant cyber legislation affecting the private sector to ever pass Congress.

What’s the Business Case?

The problem, former Homeland Security officials say, comes down to incentives.

CISA gave companies legal protection to share cyber threat information with the government but it didn’t make a business case for why it was in their interest to do so, said Phil Reitinger, who led Homeland Security’s cyber division under President Barack Obama.

“It’s easy to be a free rider in this this space and just consume the data other people produce,” said Reitinger. “The information security professionals get it, but there’s more work to be done convincing businesses that they’ve got a social responsibility to do this and, overall, it’s in their economic best interest.”

Reitinger noted that the number of companies sharing threat information may be larger than it appears because some companies may be sharing information with public-private partnerships, known as information sharing and analysis centers, which are sharing it, in turn, with Homeland Security.  

Bruce McConnell, another top Homeland Security cyber official under Obama, also pointed to the free rider problem. He noted, however, some companies have improved sharing cyber threat information with each other in recent years, often leaving government out of the loop.

One model he cited was the Cyber Threat Alliance, a coalition of tech and security companies that share threat indicators, which was launched in 2017.  

“Until companies realize we’re all in this together, the program will remain anemic,” McConnell said of the Homeland Security sharing program.  

Always a Long Road

To be clear, cyber analysts and CISA’s sponsors never believed the legislation would be a panacea for cyber threats.

When CISA was on the Senate floor, one of its co-sponsors, Senate Intelligence Chairman Richard Burr, R-N.C., stressed that the bill “does not prevent cyberattacks” and acknowledged that no Senate bill could.

Burr praised the bill, though, for providing “a pathway to minimizing the amount of data that is lost.”

Burr’s co-sponsor, Sen. Dianne Feinstein, D-Calif., who was then the Intelligence Committee’s ranking member, lauded the bill for receiving support from over 40 business groups and the U.S. Chamber of Commerce. She also described it as a “first-step bill,” though, that would “not bring an end to successful cyberattacks or thefts.”

Judged by those modest goals, Reitinger, the former homeland security official, said CISA should not be deemed a failure.

Even if most companies are only receiving rather than sending cyber threat data, that still has the capability to make them significantly more secure, he said.

“In any sort of system like this, you’re likely to get an order of magnitude more recipients than donors,” he said. “I’m very happy with having almost 200 entities receiving data right now. But do I want more people contributing? For sure I do.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.