SAN FRANCISCO -- A panel of government cybersecurity experts at RSA Conference 2015 criticized the lack of security information sharing at several federal agencies and encouraged the government to provide more intelligence to the private sector.
Former officials from the FBI, the Department of Defense and the Department of Homeland Security discussed each agency's role in government cybersecurity and addressed areas for improvement. And the biggest area, they said, was sharing security intelligence about emerging threats, vulnerabilities and threat actors.
"I think the area that's the biggest sticking point is the use of intelligence -- how is it collected, how is it utilized and how is it shared?" said Shawn Henry, CSO and president of the services division at CrowdStrike, a security firm in Irvine, Calif.
Henry previously served as executive assistant director of the FBI and was responsible for all cyber programs and investigations worldwide at the agency. He said that while people have talked for years about better public-private partnerships around information security, little has changed. "When people use these amorphous concepts about information sharing, it all sounds wonderful -- but it's just never been clearly defined," he said.
Defining information sharing isn't the only issue, according to the panelists. Jane Lute, CEO of the Council on CyberSecurity, said there's a fundamental disconnect between interagency sharing. Lute previously served as deputy secretary for the U.S. Department of Homeland Security and was also a member of the National Security Council staff under former presidents George H. W. Bush and Bill Clinton. She found, in her experience, that agencies often battle each other over intelligence.
Jane LuteCEO of the Center for Internet Security
"We allowed national security and homeland security and law enforcement to fight each other over primacy when it came to intelligence," she said, adding that there is an "intrinsic tension" to keep information secret, deploy it rapidly and preserve it for law enforcement purposes.
Lute also said national security and homeland security agencies have good reasons for wanting to keep information secret, but "what we learned is secrecy doesn't scale" when it comes to information security.
John C. "Chris" Inglis, a board advisor to Los Angeles-based security analytics firm Securonix and former deputy director and senior civilian leader of the National Security Agency, said effective cybersecurity needs to involve both the public and private sectors working together. "There are a lot of authorities, both in the private sector and in the government, that need to be applied in a concurrent fashion," he said.
Inglis agreed the federal government needs to engage in better security information sharing across agencies and with the private sector, and that there should be a predisposition toward sharing rather than classifying information. "What we need to richly share is everything we know about the nature of threat actors in this space," he said, "and on occasion we'll be pleasantly surprised to see something you passed across actually connects … on the other side."
But that's not happening, according to Henry. "Being in the private sector now for three years," he said, "I deal with companies every single day that are banging their heads against the wall because they're not getting valuable intelligence out of the government."
Henry said private companies need better guidelines from the federal government agencies on what information they should be sharing, how to share it and what can they expect in return. In addition, he said the government should relax its restrictions on security information. "I believe that in this space the vast majority of what's being collected by various agencies can be shared in an unclassified manner," he said.
Inglis said there will be natural limitations on security information sharing, such as maintaining evidence for the assurance of a fair trial. He also said that while information sharing may improve, it won't cure all the problems overnight, because the information that's shared still needs to be put in proper context. "There are still going to be some broken hearts at the end of the day," Inglis said. "The government is good at divining secrets but not mysteries."