Government

Misconceptions hinder threat-sharing with government, DHS official says

Some of the DHS's threat-sharing programs have been more popular than others.

November 14, 2019

Rick Driggers speaks Nov. 14, 2019, at the Workforce Summit presented by FedScoop and WorkScoop. (Scoop News Group)

Misconceptions from the private sector about the risks of sharing data with the government are still a hurdle when it comes to cyberthreat exchange programs, a Department of Homeland Security official said Thursday.

“I don’t think there are any risks to [sharing cyberthreat information] with the federal government; I think that there are potentially some perceived risks,” said Rick Driggers, an official at DHS’s Cybersecurity and Information Security Agency (CISA).

“I’ve heard that there are a lot of private-sector companies that don’t necessarily want to give information to the federal government,” Driggers said at the Workforce Summit produced by FedScoop. “And I totally get that.”

Concerns from private-sector organizations about sharing data with the government include that companies could expose themselves to litigation or reveal sensitive corporate information. That is despite a 2015 federal law that gives firms legal cover to share that data.

CISA touts its ability to be a clearinghouse of threat information, relaying declassified data to critical-infrastructure companies. Some of the agency’s threat-sharing programs have been more popular than others. The agency shares threat reports with “indicators of compromise,” or telltale signs of a strain of malware that private analysts can act upon. Officials say the close relationships they’ve built with the private sector in recent years has helped with threat-sharing.

““We have information that the private sector doesn’t have, that state and locals don’t have, that our international partners don’t have,” Driggers said. “We are also getting information from all of those partnership domains.”

With its Automated Indicator Sharing program, however, DHS has struggled to get companies to send the department data (officials say that program has grown in the last year and will be reformed.)

“The federal government doesn’t have all the answers,” Driggers said. “In a lot of ways, the private sector [is] leading in…cybersecurity. And we need to embrace…[and] support that.”

Driggers emphasized the protections that CISA has for the data that companies voluntarily share with the agency, adding that some information is exempt from being disclosed publicly under the Freedom of Information Act. He also spoke to the value of personal, informal relationships with private researchers, many of whom have government experience.

“That informal analytical exchange of information or exchange of ideas is equally important and, quite frankly, it’s a lot quicker,” Driggers said.

CISA officials are looking for new ways that they can directly communicate hacking threats to the private sector. The agency has, for example, asked lawmakers for subpoena authority to obtain contact information for companies that are vulnerable to a given cyberthreat.