The government’s big idea to bolster the nation’s collective cyber defense isn’t attracting private-sector participants.
More than two years after Congress passed a landmark bill incentivizing companies to share with the government how and when malicious hackers are trying to penetrate their computer networks, only six companies and other non-federal entities are sharing that data, according to figures provided to Nextgov.
That’s compared with about 190 such entities and about 60 federal departments and agencies that are receiving cyber threat data from Homeland Security’s automated indicator sharing program, a Homeland Security official told Nextgov.
That low figure for private-sector participation is an additional blow to the program, which has struggled to provide companies and government agencies with the sort of actionable cyber intelligence that was promised by the Cybersecurity Act of 2015.
“CISA clearly hasn’t lived up to the full potential that I and many of my colleagues had hoped and wanted it to,” said Rep. Jim Langevin, D-R.I., co-founder of the Congressional Cybersecurity Caucus and a strong supporter of the bill when it passed.
CISA stands for the Cybersecurity Information Sharing Act, a major component of the Cybersecurity Act of 2015, which is often used as shorthand for the full bill.
Langevin had hoped that CISA would inspire several thousand companies or more to share threat information by this time, he said. He’d hoped that far more would be receiving the data—at least all of the Fortune 5,000.
But, more than two years later, only six non-federal organizations have followed through on sharing their own data.
If more companies don’t begin sharing cyber threat information, he said, the government should consider mandating cyber information sharing, through regulation or legislation—a shift that’s unlikely to be popular with the regulation-averse Trump administration.
“We need to get realistic about the fact that public-private partnerships haven’t yet borne the kind of fruit that we want,” Langevin said. “Public-private partnerships are preferable but, at some point, good intentions will only get us so far.”
Sen. Ron Wyden, D-Ore., who opposed CISA over privacy concerns, also urged turning to mandates rather than voluntary partnerships with business.
“The immunity this misguided law gave to America’s most powerful corporations appears to be far less useful for cybersecurity than its congressional proponents claimed,” Wyden said. “Instead of weakening privacy protections for Americans’ personal information, it would have been more productive for Congress to mandate strong encryption and other common sense cybersecurity best practices.”
Rep. Dutch Ruppersberger, D-Md., a co-sponsor of CISA, is trying to schedule a briefing with the House Appropriations Committee to discuss how Homeland Security can boost private-sector participation in the program, a spokeswoman told Nextgov.
“Obviously, we think six non-federal entities is unacceptable, and we know the department isn’t happy with that number, either,” the spokeswoman said.
During the briefing, Ruppersberger wants Homeland Security officials to “outline their game plan on how to bring this number up and provide better context regarding these six companies,” the spokeswoman said.
Ultimately, she said, “we need the private sector to step up and contribute more, but we have to make it easier, quicker and more fulfilling for them, too.”
The low figure for active participation in Homeland Security’s indicator sharing program comes after an earlier inspector general report dinged the department for flooding recipients with information but not giving them enough context to figure out what was important.
In one case, a federal agency received 11,447 cyber threat indicators from Homeland Security in 2016 and only two or three of them were actually useful, the inspector general said.
Rep. Bennie Thompson, D-Miss., ranking member on the Homeland Security Committee, urged Homeland Security to “improve the timeliness and quality” of the information it shares to bolster private-sector participation. He also said the private sector “needs to step up” and warned that “information sharing is not a one-way street.”
Information Sharing for Collective Defense
CISA, which failed to pass in two successive Congresses before finally becoming law in 2015, promised liability protections to companies if they shared cyber threat indicators with the government and with each other.
The law didn’t protect companies from being sued if they were breached by hackers, but it barred customers from suing the company merely for sharing their information with the government.
The idea was that the government would organize and prioritize all that threat information from companies, combine it with the government’s own store of threat data, collected by intelligence services and Homeland Security, and share the result back out with anyone who was interested, bolstering the nation’s collective cyber defense.
The information would all come at machine speed using special protocols too, so there would be no fiddling with phone calls and emails.
After years of haggling between security researchers, companies and privacy advocates, it was considered the most significant cyber legislation affecting the private sector to ever pass Congress.
What’s the Business Case?
The problem, former Homeland Security officials say, comes down to incentives.
CISA gave companies legal protection to share cyber threat information with the government but it didn’t make a business case for why it was in their interest to do so, said Phil Reitinger, who led Homeland Security’s cyber division under President Barack Obama.
“It’s easy to be a free rider in this this space and just consume the data other people produce,” said Reitinger. “The information security professionals get it, but there’s more work to be done convincing businesses that they’ve got a social responsibility to do this and, overall, it’s in their economic best interest.”
Reitinger noted that the number of companies sharing threat information may be larger than it appears because some companies may be sharing information with public-private partnerships, known as information sharing and analysis centers, which are sharing it, in turn, with Homeland Security.
Bruce McConnell, another top Homeland Security cyber official under Obama, also pointed to the free rider problem. He noted, however, some companies have improved sharing cyber threat information with each other in recent years, often leaving government out of the loop.
One model he cited was the Cyber Threat Alliance, a coalition of tech and security companies that share threat indicators, which was launched in 2017.
“Until companies realize we’re all in this together, the program will remain anemic,” McConnell said of the Homeland Security sharing program.
Always a Long Road
To be clear, cyber analysts and CISA’s sponsors never believed the legislation would be a panacea for cyber threats.
When CISA was on the Senate floor, one of its co-sponsors, Senate Intelligence Chairman Richard Burr, R-N.C., stressed that the bill “does not prevent cyberattacks” and acknowledged that no Senate bill could.
Burr praised the bill, though, for providing “a pathway to minimizing the amount of data that is lost.”
Burr’s co-sponsor, Sen. Dianne Feinstein, D-Calif., who was then the Intelligence Committee’s ranking member, lauded the bill for receiving support from over 40 business groups and the U.S. Chamber of Commerce. She also described it as a “first-step bill,” though, that would “not bring an end to successful cyberattacks or thefts.”
Judged by those modest goals, Reitinger, the former homeland security official, said CISA should not be deemed a failure.
Even if most companies are only receiving rather than sending cyber threat data, that still has the capability to make them significantly more secure, he said.
“In any sort of system like this, you’re likely to get an order of magnitude more recipients than donors,” he said. “I’m very happy with having almost 200 entities receiving data right now. But do I want more people contributing? For sure I do.”