Recently, the Department of Homeland Security (DHS) has advanced several cybersecurity information sharing initiatives to help the private sector better secure itself against cyber threats. We’ve hosted an Information Sharing and Analysis Organization (ISAO) Workshop in Boston, June 9, expanded our Enhanced Cybersecurity Services (ECS) program, grown our Cyber Information Sharing and Collaboration Program (CISCP), and we’re deploying near-real-time information sharing capabilities. As exciting as these activities are, I’d like to step back to first principles and discuss why information sharing is so important. I will then explain how our information sharing programs work together to help our private sector customers achieve a common goal.
Right now, our cybersecurity cost model is broken. Adversaries can often use the same attack against thousands of entities. It’s cheap for them to use the same tool and keep trying until they succeed. And eventually, they do. However, if the first targeted organization shares the identifying characteristics of the attack with all of its partners, who in turn share with their partners, even if the adversary’s first attack was successful, the rest of its targets will have the knowledge they need to protect themselves. In this model, the adversary must craft a unique attack method for each target and will experience significantly higher costs that may be unsustainable for all but the most sophisticated adversaries.
To achieve this goal, information must be shared widely and quickly. DHS is moving forward to make progress in both of these areas. We recently convened our first ISAO workshop, where participants from the private sector, academia, and government shared ideas and opinions about the challenges and opportunities associated with the creation of ISAOs. This perspective and input will be valuable as we implement Executive Order 13691: Promoting Private Sector Cybersecurity Information Sharing in the coming months.
ISAOs will allow organizations, regardless of what sector they fall under, to join together and share cybersecurity information with each other and DHS. As a result, ISAOs will significantly increase the breadth of the information sharing ecosystem. Cyber threat information will reach a far greater number of organizations, decreasing the likelihood that a single attack method will succeed against multiple targets.
Speed is equally as important as scale. If we can only share cyber threat information after the adversary has compromised an organization, we have not succeeded. Therefore, we are moving quickly to deploy Automated Indicator Sharing, which will allow organizations to share and receive cyber threat indicators in near- real-time, formatted to be used immediately for network defense (in a format known as STIX/TAXII). With Automated Indicator Sharing, cyber threat information can be shared and applied to network defenses before the adversary can launch an attack. Right now, the best way for an organization to participate in Automated Indicator Sharing is by joining our Cyber Information Sharing and Collaboration Program (CISCP). Along with Automated Indicator Sharing, CISCP provides participating companies with a number of other benefits, including analyst-to-analyst collaborations, detailed technical bulletins, and in-depth information exchanges.
Our goal at DHS is for all U.S. companies to participate in near-real-time information sharing, either directly or through an ISAO, to better protect their networks. Working together, we will make progress toward achieving this goal and reversing the cybersecurity cost model so that defenders move more quickly than our adversaries.