DHS Threat Data Sharing Program a Good First Step But Here Are Its Shortcomings

The only real barrier to this program’s success won’t be technical. It will be trust.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

One of the most difficult aspects of cybersecurity is that for most organizations, they are forced to reinvent the wheel quite a lot when it comes to building their defenses. The hacker communities tend to share data and learn from one another, while most companies and organizations are too afraid to tip their hand about lessons learned from attacks.

Perhaps sharing that data might somehow tip off the hackers to new information, or make life easier for their legitimate competitors. And while what the attackers do is hardly a hacker university program, it does tend to put them just a few steps ahead of their targets.

But it’s getting to the point with so many breaches in both the private sector and in government that someone could seriously argue the United States is under attack. Bombs might not be falling, but money is being stolen, identities are being compromised and in some cases, businesses and lives are being ruined.

So, it was nice to see the Department of Homeland Security has started to share cyberthreat data it collects with the private sector. This is an amazing first step in making our nation more secure, though it doesn’t go nearly far enough in this era of constant attacks and advanced persistent threats.

But let’s talk about what the new program does right first. The biggest thing is that before moving forward with this new sharing plan, DHS took the time to come up with a set of standards that would be used for the sharing of threat data. This is critically important because a lot of security operations centers, or SOC, have automated the collection of their threat information by incorporating security information and event management systems, or SIEM.

In other words, using the proper protocols means threat intelligence provided by DHS can go directly into SIEMs to begin blocking things like IP addresses of known attackers without any people having to be in the loop. Clever SOC teams can even have that data mined pretty deeply to make connections between seemingly innocuous things like the phone number used to register a new domain. If a hacker or group used it before, that information could be automatically applied in defense.

Not surprisingly, DHS has settled on a protocol and a language some industries have been using for years: STIX and TAXII. One of my very first columns for Nextgov talked about a free threat intelligence tool called Soltra Edge using them. They work very well together, as I have seen many times in my lab when reviewing cybersecurity software and devices.

STIX, the Structured Threat Information eXpression language, helps to standardize threat data in such a way that automated systems can understand it. TAXII, the Trusted Automated eXchange of Indicator Information, defines protocols to properly transmit that data across organizational boundaries and networks.

Both STIX and TAXII are open source, so anyone should be able to deploy them, and they are becoming increasingly popular. In fact, the only opposition I’ve seen to either was from threat intelligence companies that want to push their own proprietary languages and protocols instead – and they are quickly losing that fight.

So, DHS is offering threat intelligence data formatted to fit into almost any SIEM, with no cost to entry. That means both big and small organizations can take advantage of it. The government is asking companies to share their threat data back to DHS as well, which would be parsed and distributed to the community. Bringing in organizations of all sizes is another great idea, because different groups see different things. It’s basically more eyes for the community.

The only real barrier to this program’s success won’t be technical. It will be trust. At an event this month to unveil the program, the Wall Street Journal surveyed the attending chief information officers, and found that only 42 percent of them were likely to cooperate with the government in the wake of a new cyberincident.

Here is where the DHS effort falls a bit short.

On the one hand, officials promise any identifying data that could be used to track back to a company sharing its security information will be expunged. So, there is no danger of any secrets being leaked to the community, just the threat data that can be used to build better defenses. However, DHS is not going to include any government-captured threat data in the feed.

Presumably, there was a concern that sharing government data might compromise it somehow. But DHS can’t really expect to have it both ways. The department can’t assure companies that participation in the program is safe and useful, and then choose not to do so itself. Would you trust someone who assures you flying in an experimental vehicle is safe, but then refuses to get inside themselves?

I have seen threat data sharing programs work in specific industries, and having the government act as a neutral party to parse and distribute that data is a fantastic idea whose time has come. Hopefully, the government itself will jump in and begin sharing its data as well, as that would attract a lot more organizations and make the effort that much stronger. But as small steps go, this is a pretty big one, and in the right direction.