What DHS Must Do to Expand Cybersecurity Information-Sharing

More than a year has passed since the Department of Homeland Security expanded its voluntary program for sharing classified and unclassified threat indicators with critical infrastructure operators.

Executive order 13636 promoted the expansion of the Enhanced Cybersecurity Services program by directing DHS to collaborate with the Defense Department secretary to ensure all 16 critical infrastructure sectors were represented in the program. Commercial facilities, communications, the defense industrial base and financial services sectors are among the target audience.

A total of 40 critical infrastructure entities were participating in the program as of May 2014, according to a recent DHS inspector general report. An additional 22 companies had signed memorandums of agreement to begin receiving ECS services.

The problem is that these companies represent only three of the 16 designated sectors: the defense industrial base, energy sector and communication services. Of those enrolled in the program, only two are commercial services providers, and no additional providers have enrolled in the program since DHS took the reins in February 2013.

The ECS program benefits both CSPs and critical infrastructure companies because DHS can “alert CSPs to scan and quarantine email for malicious attachments and code prior to delivering these messages to critical infrastructure end users,” the IG report found.

The Benefits and Challenges of Sharing Threat Data

DHS’ Office of Cybersecurity and Communications (CS&C), which is primarily responsible for the program, has increased the frequency of cyber threat data feeds to companies from two to three times a week. On average, DHS shares 50 to 60 cyber threat indicators three times a week.

The goal is “to strengthen the cybersecurity of critical infrastructure by increasing the volume and timeliness, as well as improve the quality of, cyber threat information shared between the federal government and private sectors,” the report explains.

US-CERT reviews threat indicators before sharing them through the ECS program. But that process is bogged down by manual reviews because US-CERT doesn’t have an automated system. There’s also a process to ensure participating entities meet operational and technical security requirements before receiving cyber threats. While that process is necessary, validating each company takes time and resources.

“Although CS&C has made progress, enrollment in the ECS program has been slow because of limited communication and outreach and a necessary in-depth security validation and accreditation process for potential program participants,” the report said. “Further, the lack of analysis and manual reviews has affected the quality of cyber threat information provided to CSP participants.”

The IG recommended that DHS ensure sufficient resources are available to vet program participants, improve outreach to critical infrastructure owners and operators, and develop a system to manage and analyze threat indicators for the program.

To address those concerns, DHS:

• Added additional resources to support the growth of program participants, and more resources were requested for future years.
• Secured additional Federally Funded Research & Development Center security experts to support the security validation and accreditation process and is recruiting other qualified federal employees to build the staff. DHS is also contracting out for more help.
• Deployed an instance of the Cyber Indicator Analysis Platform to the Top Secret Mission Operating Environment network.

The department expects to complete a targeted outreach strategy by October.