Will Voluntary Cyber Threat Sharing Plan Cast Doubt Over CISPA?
The Cyber Intelligence Sharing and Protection Act (CISPA) might be cast into doubt in the wake of a Department of Defense announcement last week that as many as 1,000 defense contractors -- and possibly thousands more -- may voluntarily join an expanded program of sharing classified information on cyber threats with the federal government.
The program, known as the Defense Industrial Base Cyber Security/Information Assurance, or DIB CS/IA, has been in a pilot phase for the past four years with only 37 contractors. The expansion, recently approved by the Obama administration, means about 8,000 contractors cleared to work with DoD intellectual property are being invited to participate.
Bloomberg BusinessWeek reports that if this expansion "proves successful in safeguarding defense contractors from cyber attacks, the administration may enlarge the program to companies in 15 other critical infrastructure categories through the Department of Homeland Security," Eric Rosenbach, deputy assistant secretary of defense for cyber policy, said.
This, if it works as expected, could prompt those arguing over CISPA, recently passed by the U.S. House, along with other similar pending legislation in Congress, to wonder how necessary it all is. Why mandate information sharing with the government if it can happen voluntarily?
[See also: CISPA enjoys wide backing from enterprises]
Jason Healey, director of the Cyber Statecraft Initiative of the Washington, D.C. think tank Atlantic Council, says while "there absolutely are similarities" between DIB and the various legislative efforts, that there are "lots of other bits" in those bills -- such as mandatory security standards. "Some legislation is necessary," he says.
Dan Philpott, an expert in federal cybersecurity and editor of FISMApedia, says DIB CS/IA is "a much lighter version" of CISPA. He says another reason the program could not replace cybersecurity law is because it is unlikely that anything close to 8,000 contractors will volunteer to enter it. He believes the DoD is being optimistic even with an estimate of 1,000. "I think they'd be happy with 500," he says.
Beyond that, there is debate over how worthwhile and effective DIB CS/IA has been and will be. There is broad agreement that the threat of cyberattacks is increasing at "a rapid and accelerating rate," in the words of Rear Admiral Samuel Cox, director of intelligence for the military's Cyber Command, at a forum last month.
And the goal of the DIB expansion is for more sharing of data between private defense contractors and the DoD's intelligence-gathering arm, the National Security Agency. Richard A. Hale, deputy chief information officer for cybersecurity, told the American Forces Press Service, "We started the program in an attempt to share cyber-threat data with these companies in a way that allowed the companies to act on that information immediately," and called it, "an important step forward in our ability to catch up with widespread cyber threats."
But Healey, speaking to Reuters last week, expressed some skepticism about whether the benefits of DIB CS/IA would be worth the cost to contractors. "The DIB pilot probably increases the defenders' work factor much more than it increases the attackers," he said. "This is a lot of work and a lot of taxpayer dollars for something that has apparently not proven it can increase security more than on the margins."
Healey says he is "very pleased to see DoD saying they could scale this to 8,000 companies." But he still thinks the department could be much more efficient in its dealings with private industry.
In an article in The Atlantic, Healey argues that the NSA should simply declassify much of its database of malware "signatures."
While he acknowledges that critics will argue that such action would, "compromise our sensitive collection sources and methods. [But] in truth, the extreme classification surrounding most of these signatures protect little but bureaucratic inertia. General Michael Hayden, a past NSA director, made this case best, saying, 'Let me be clear: This stuff is overprotected.'"
"More importantly, the Internet is an open network and any adversary that uses novel malicious software knows it will eventually be discovered," he said.
Philpott adds that in the information security community, "signature-based security is becoming kind of looked down on. It's inherently weak because only identifies things that have already happened."
Healey writes in The Atlantic that NSA's signature database, while "considered among the crown jewels of the U.S. government's defense capabilities ... may not be as awe-inspiring as advertised." He adds: "And independent review found only marginal benefit" to contractors like Northrop Grumman or Lockheed Martin.
"Only 1% of the attacks were detected using NSA threat data that the companies did not already have themselves," Healey says.
He argues that a more effective system would be an "independent clearinghouse for signatures. NSA might anonymously add its signatures ... and further wash their source by mixing them with signatures from security companies and even with other nations' intelligence agencies."
"This option would create the world's best-ever signature database ... and any organization that contributes their signature collection would then able to use the full database," Healey says.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.