As the number of cyberattacks continues to rise, Federal experts say information sharing between the private and public sectors is critical when it comes to defending against cyber threats. However, experts are warning agencies that they need to start getting more specific on their information sharing needs if they want to achieve “a joint end-state” with industry.
During an August 9 event hosted by Government Executive, Federal experts shared how agencies and the private sector can work together to improve the sharing of threat data.
The biggest challenge in the information sharing space is “a lack of a lot of specific use cases,” according to Cheri Caddy, senior advisor for cybersecurity at the Department of Energy (DoE). Caddy stressed that the conversation can oftentimes feel like an “endless loop” of sharing entities asking for every piece of threat data available.
“I think the answer for information sharing for threat data isn’t more, it is more specificity, more actionable information, that the sharing entities can both perform specific tasks with,” Caddy said. “Information sharing is not the end, it is a means to an end. And getting focus on that end, and understanding, and having a joint understanding of that end really helps get out of the endless loop of, ‘well, give me everything you’ve got,’ kind of conversation.”
David Ring, cyber division section chief at the FBI, agreed with Caddy that it’s important agencies and the private sector are “making sure we’re sharing the right stuff.”
“Oftentimes I think government, rather than simply asking our private sector partners what’s most important to them to share, and what they’re looking for, we make assumptions as to what we assumed those partners want to hear, and oftentimes it doesn’t align,” Ring said. “Making sure we’re sharing the right information at the right times is significant to counter a threat from a prevention standpoint.”
Ring also stressed that mandatory reporting will be necessary going forward, as the Federal government is reliant on the private sector to voluntarily report incidents and is only seeing “a very small piece of what’s actually happening out there.”
“Why it’s critical for that mandatory reporting is that the more information we get the better we can synthesize that information for two reasons,” Ring said. “One: to share it up, to make sure that companies are equipped, private sector partners are equipped, to protect their systems and prevent those types of attacks in the future and learning from the issues that we face. And secondly: so that the FBI has the building blocks necessary and the dots to connect when it comes to disrupting these actors moving forward.”
“We are better than we’ve ever been, and nowhere where we need to be, on both sides when it comes to government sharing and private sector sharing,” he added.
Caddy also agreed there is a “long way to go” for the information sharing space to get where it needs to be, and encouraged the private and public sector to start looking at a joint end-state.
“The next incremental place that we can go collectively is to maybe start talking about a joint end-state. You know, what are we all aiming towards? More is not specific enough to give us the strategic way forward,” Caddy said.
“I think some of the legislation, some of the more recent policy initiatives are starting to talk about joint environments for information sharing,” she continued. “Where do we want to be, where do we need to be, to be able to share information at speed in a way that’s going to be effective to counter the adversary in cyberspace. So, I think we’re getting to that point, there’s still a long way to go.”