In its efforts to protect physical and virtual assets from cyberattacks, U.S. intelligence agencies gather a copious amount of data each day, collating it from a wide array of public and private sector channels. However, these disparate bodies have not always efficiently shared that information, and their practices could be jeopardizing its value and endangering both infrastructure and lives.
In October 2009 the U.S. Department of Homeland Security (DHS) reorganized a vast apparatus of government agencies under the umbrella of the National Cybersecurity and Communications Integration Center (NCCIC), in order to address the cross-agency sharing conundrum. In theory, the NCCIC is a central command that governs all cybersecurity incidents and operations, with the stated goal of "[operating] at the intersection of the private sector, civilian, law enforcement, intelligence, and defense communities, applying unique analytic perspectives, ensuring shared situational awareness, and orchestrating synchronized response efforts."
As such, the NCCIC and the less formal network of public-private Information Sharing and Analysis Centers (ISACs) would appear to satisfy the U.S. government's post-9/11 requirement for comprehensive intelligence sharing systems that prevent catastrophic cyberspace events. However, the preventive effects of these partnerships on cybercrime are unknown and unproven, as is the exact value of shared information in actually stopping incidents. At a logistical level, coordination between government agencies private organizations is also complicated by their differing sizes and needs, as well as the inadequate ways in which they are held accountable by the government when sharing information.
A sensible framework for data sharing between the public and private sectors would not only raise threat awareness and potentially reduce cyberattack risk, but it would also further everyone's security by providing guidance for how to safely handle sensitive data. As intelligence efforts widen in scope to deal with cybersecurity in addition to physical security, data sharing practices must keep pace and be diligent, so that items are not mishandled. Similarly, small organizations must be better integrated into sharing partnerships, since their absence has endangered their own security and weakened national threat awareness.
ISACs, NCCIC and public-private partnerships
The U.S. government now regards cybersecurity as a national priority. In a recent research paper about the state of PPPs under NCCIC, Georgetown University's Rachel Nyswander Thomas pointed out that there are nearly 2 billion cyberattacks levied at the U.S. Congress and other federal departments every month. Additionally, attacks on their Internet infrastructure rose 40 percent year-over-over from 2010 to 2011, indicating the stakes of timely, efficient data sharing between government agencies and companies in their sector.
Right now, the DHS recognizes 16 Information Sharing and Analysis Centers (ISACs) that govern industries like finance, as well as facilities organizations identified under the DHS' Critical Infrastructure and Key Resources category. Most ISACs evolved from informal post-9/11 relationships, and they now operate as nonprofit organizations that monitor industry-specific cyberthreats. Although over a decade in the making, the ISAC network remains operationally immature, argued Thomas, with the varying levels of efficiency between sectors resulting in what FierceMarket's David Pereira, commenting on Thomas' paper, called only "small pockets of information sharing."
More specifically, these public-private partnerships (PPPs) have traditionally favored large organizations, at the expense of small and midsize ones that may have valuable contributions to make, yet lack the appropriate framework. For example, only 200 of the roughly 39,000 local governments in the U.S. currently participate in the Multi-State Information Sharing and Analysis Center. Aside from potentially widening intelligence blindspots, this lack of engagement could put absent organizations at heightened risk of cyberattack, since they would be less aware of the current threat environment.
At a higher level, the NCCIC encompasses five ISACs as well as intelligence officials from the U.S. Department of Defense, as well as the NSA and the FBI. In addition to supplying organizations with government intelligence, the NCCIC's centralized, on-site environment seemingly circumvents the classification system that has previously made it difficult to share sensitive information.
NCCIC may be a failed one-size-fits-all approach to collaboration
However, weaknesses in the ISAC network could compromise the NCCIC's efficacy. ISACs are the primary mechanisms through which private organizations interact with high-level government intelligence, and their inconsistent, skewed makeup may mean that the NCCIC is not actually a comprehensive public-private sharing nexus.
"Without a fully mature ISAC in every sector, NCCIC lacks a qualified partner in several key areas of the private sector," wrote Thomas. "Further, the effectiveness of NCCIC's efforts – whether its activities around sharing, mitigation and planning have resulted in a reduction in cyber threats, or even more effective management of those that exist – have not yet been formally studied."
Whatever the shortcomings of current sharing practices, a more fundamental issue may stem from the lack of consensus about how to define and approach cybersecurity. Without a clear strategy in place, each PPP may be moving in a different direction in regard to interpreting threats and intelligence, unsure whether to prioritize attack prevention or create disaster recovery plans.
In that case, sharing itself would not ensure proper identification of risk, nor subsequent response. Underscoring the issue, Thomas' research indicated that only 2 of the 52 malicious activities identified over a six-month period, as part of the Defense Department's Defense Industrial Base Cyber Pilot program, were found using shared government information.
To avoid ineffective sharing and produce better information, PPPs may need to collaborate on a ground-up framework that establishes clear goals for gathering, handling and acting on threats, as opposed to informally constructed ISACs.
"While many partnerships continue to focus singularly on information sharing, the literature suggests the need for collaboration across a host of objectives, including research and development, building human capital, technical standard setting to ensure interoperability, and the development of domestic and international policy," explained Thomas.
Improving public-private sector information sharing
To improve PPPs, Thomas recommended the formation of "civic switchboards," which she defined as a partnership connecting organizations of all sizes under the light guidance of the federal government and nonprofit entities. She proposed a national switchboard for intelligence sharing, as well as a separate one for research.
"The civic switchboards alternative would focus on all of the appropriate goals to secure cyberspace by connecting and amplifying the work of existing PPPs [that] focus on security and resilience," proposed Thomas. "Using civic switchboards would [facilitate] information sharing, incident response, research and development, technical standard setting, the development of relevant policy on the national and international levels and the building of human capital necessary to achieve the other goals and objectives."
Drawing from civic switchboard examples like the Obama Administration's Startup America Partnership, public and private sector leaders may be able to produce a sharing framework that can accommodate organizations of all sizes. Only with comprehensive involvement will public and private organizations be able to access and act on information that can reduce national risk.