‘See Something, Say Something’-like System to Power Sharing of Cyber Tips


White House asks intelligence agency for help executing part of its cybersecurity directive.

The White House will refurbish existing technology for sharing reports of suspected terrorist activity to carry out a new executive order encouraging the disclosure of cyber threats, U.S. intelligence officials told Nextgov

Since 2004, an agency within the Office of the Director of National Intelligence has put forth technical standards and policies to protect the quality and confidentiality of tips exchanged concerning national security threats. One of the key counterterrorism efforts supported by the DNI Information Sharing Environment office is the “Nationwide Suspicious Activity Reporting” system that securely routes incoming messages from the “See Something, Say Something” public awareness campaign.

Now, to hasten cybersecurity-related communications, the intelligence community, along with the Defense, Commerce, Homeland Security and Justice departments, are "leveraging the appropriate best practices, frameworks, and assets from the Information Sharing Environment," said Kshemendra Paul, program manager for the intelligence office, known as ISE. 

The speed and security of ISE’s counterterrorism messaging techniques prompted the Obama administration to broaden their use, according to intelligence officials.

"The White House recognizes cyber information sharing as a priority,” and, in line with its policies on data protection, “has asked [ISE] to join the interagency team as part of a broader push to accelerate responsible sharing of cybersecurity information,” Paul said.

The cybersecurity executive order, released last week, includes rules for the government and voluntary initiatives for vital U.S. sectors, such as the energy and health care industries, aimed at protecting private networks.

One provision calls on the DNI and other agencies to establish a mechanism similar to the suspicious activity reporting system for sharing computer infection alerts. The order requires a process that "rapidly disseminates" to affected companies reports about "cyber threats to the U.S. homeland that identify a specific targeted entity." The procedures, however, must not allow the intelligence to be leaked or blow the cover off sources, the provision states.

The cyber tip hotline will not exactly mirror the counterterrorism phone tree. Rather, the new information-sharing arrangement will reuse applicable features as a foundation, a DNI official said.

Today, to communicate potential terrorist threats, local police forward messages to analysts at DHS-funded state fusion centers, who decide whether the reported abnormal activity merits circulation. Writeups worthy of national distribution are stripped of any sensitive personal or investigative information to protect local citizens. Each file is then catalogued inside a state-owned server that outside authorities access remotely through the cloud. This way, each jurisdiction maintains control over its data and does not have to buy a whole new computing system.

The usefulness of this information-sharing approach is still up for debate. Critics of the suspicious activity reporting system, including the American Civil Liberties Union, say it overshoots and captures innocent behavior, like tourists snapping photos of bridges. At the other extreme, the DNI reported in 2012 that almost half of federal agencies were not entering documented incidents into the network.

The tools and techniques for conveying threats are still evolving, intelligence officials say. And even ACLU members have commended ISE for refining the reporting standards to, among other things, force police to establish a connection to terrorism before publishing Americans' personal information.

NEXT STORY: A case for active cyber defense