Government’s Getting Faster at Sharing Unclassified Cyber Threat Indicators

It’s also becoming rarer that an intelligence agency refuses to release a threat indicator entirely, a DHS official said.

The intelligence community and law enforcement agencies have become much faster at approving unclassified versions of the cyber threat indicators they send to the Homeland Security Department for public release, a department official said Wednesday.

The process for creating those unclassified indicators basically boils down to a back-and-forth conversation between the agency that discovered the cyber threat and officials at Homeland Security’s National Cybersecurity and Communications and Integration Center, or NCCIC, the official said.

Once the originating agency decides the indicator has been scrubbed of enough information that might reveal intelligence sources and methods or compromise an ongoing investigation or prosecution, the alert is ready to go out, the official said during an NCCIC tour for reporters.

As cyber threats have increased and the NCCIC has grown more mature in recent years, that back-and-forth process has grown much faster, the official said, though the official didn’t provide specific time estimates.

Instances in which the originating agency refuses to allow NCCIC to release any unclassified version of the threat indicator have also grown rarer, though that still sometimes happens, the official said.

As a general rule, NCCIC staff and cyber defenders will always want to release more information while intelligence agencies will always want to release less information out of concern hackers could work backward from what is released to figure out how the intelligence community learned that information, the official said. However, the two sides have grown more adept at finding a comfortable middle ground.

Threat indicator is a broad term that can refer to a particular type of malware, a phishing email or any other tool hackers use to compromise computers and other digital systems.

The NCCIC works essentially as a clearinghouse for cyber threat indicators, receiving them from other parts of the U.S. government, from industry and from allied governments, and sharing them out to cyber defenders in industry.

“We don’t do cybersecurity in the NCCIC. We help you do it better,” the official said.

In the case of some “critical infrastructure” sectors, such as financial services, non-governmental representatives from those sectors are sitting inside the NCCIC and sharing information directly with their colleagues. Other sectors aren’t represented in the NCCIC but receive digital information in basically real time, the official said.

The NCCIC launched an automated indicator sharing program for government agencies and industry in 2016. Recipients of those automated indicators have complained, though, that only a small portion of what they receive is actually relevant to their organizations.

Also, only a handful of private sector organizations have agreed to share information with the automated system, while several hundred organizations are receiving indicators.

Homeland Security has said it’s working to remedy both issues.