The House Armed Services Committee’s latest version of its annual defense authorization bill includes a number of intriguing provisions meant to further shore up cybersecurity coordination within the federal interagency and further clarify roles between the government and industry on things like threat intelligence and when to buy commercial products.
The proposed bill, from committee chair Adam Smith, D-Wash., would create a new Cyber Threat Information Collaboration Environment between the Department of Defense, Department of Homeland Security and National Security Agency to jointly work on identifying, mitigating or stopping cyber threats. It would also “provide limited access to appropriate operationally relevant data about cybersecurity risks and cybersecurity threats, including malware forensics and data from network sensor programs, on a platform that enables query and analysis.”
Another proposal would direct the Joint Forces Headquarters for the Department of Defense Information Networks to create a new program management office to manage and oversee the way DoD buys and shares commercial threat intelligence products with other components.
Ideas like the Cybersecurity Threat Information Collaboration Environment were pulled from the Cybersecurity Solarium Commission report published last year. Many of the commission’s ideas, like establishing a National Cyber director position at the White House, made it into law during last year’s defense authorization process.
Mark Montgomery, former executive director of the Solarium, told SC Media that legislators are attempting to reset the federal government’s internal approach to information sharing and engagement with industry after a number of previous failed attempts over the years.
“It’s an effort to create both classified and unclassified means for more effective dissemination of information and fusion of information at the governmental level and among the private sector,” said Montgomery, who now leads the Center of Cyber and Technology Innovation at the Foundation for Defense of Democracies. “It links in very closely with the recent announcement by CISA of the Joint Cyber Defense Collaborative,” as well as a separate recommendation for an integrated cyber center at DHS.
Latest attempt at public-private collaboration
The Solarium report argues that such increased collaboration between the government and private sector represents a key piece of the U.S. cybersecurity strategy, because it helps raise the collective security floor more broadly across industry, which in turn reduces the number of easy targets that bad actors can compromise and leverage to infect their partners, customers or government clients. The Russian campaign to use security weaknesses in SolarWinds software to compromise their customers, including government agencies, is a prime example of the dynamic policymakers are looking to change.
But creating a cybersecurity hub or “nerve center” to foster better partnership between government agencies and industry is already at the heart of other government projects, including the National Cybersecurity and Communications Integration Center at DHS, the NSA’s Cybersecurity Collaboration Center, the Integrated Cyber Center set up between the NSA and U.S. Cyber Command and the newly established Joint Cyber Defense Collaborative at CISA. There is also a constellation of information sharing and analysis centers specifically designed to share sector-specific threat data between businesses and the government.
Other problems, like an enduring lack of enthusiasm by private sector entities to actually share information back with other parties have hampered similar information-sharing efforts with industry. Centers like NCCIC were supposed to play that role, but Montgomery said it is “not providing that capability right now” and has been largely reimagined as an internal tool for information situational awareness at DHS.
Tatyana Bolton, policy director for R-Street’s cybersecurity and emerging threats team and a former senior policy director for the Solarium, told SC Media that the inclusion of the collaboration center in this year’s NDAA is a tacit admission that those previous ventures have largely failed, or at least have been ineffective at improving the government’s information-sharing processes.
The federal government has been trying to fix its information-sharing deficiencies for more than a decade. While agencies like CISA and the FBI have dramatically improved their relationship with industry and other stakeholders in government, too much cybersecurity collaboration in areas like energy, intelligence and financial services are “very much relationship driven and not institutionalized.”
Whether these newer projects can succeed where others failed will largely depend on the resources they’re given and the support they get from other parts of the federal government and industry. Bolton said the difference between success and failure for these latest enterprises “is as simple and as difficult as getting buy in.
“Is it finally the time when, with leadership from the White House, with [CISA Director] Jen Easterly focused on public-private information sharing … after all the significant intrusions over the past years, is this finally the time when people stop bickering about the right way to do this and invest in one congressionally mandated [place]?” she asked.
Streamline buying process
This desire also plays into the language directing the Pentagon to create a new office to oversee the way it buys and disseminates third-party, commercial threat intelligence. Some component agencies have redundant contracts in place with security or threat intelligence vendors, while others are buying intelligence or products they might otherwise have gotten from an existing contract or the government itself.
“There’s a lot of concern about using or buying duplicative tools across such a large entity as the DOD,” Bolton said of the proposed office. “This is also true for other agencies and across agencies … this is sort of DOD’s or Congress’ attempt to consolidate and streamline, because I think we have gotten to a point where a lot of people or organizations within the federal government have thought they could buy their way out of cybersecurity with all these different tools, and that’s just not the case.”