New head of Carnegie Mellon University's CERT and former federal Chief Information Security Officer Greg Touhill said Thursday that federal strategies for information sharing needed to keep their eye on the ball.
"You know, we default to indicators of compromise, and they're really important, but it's kind of like foul tipping in baseball," he said at the Billington Cybersecurity Defense Summit. "We really need to get the whole meat of the bat on the ball."
Rather than limit focus to IOCs, he said, the government needs "to do a better job of making sure that what information we share has contextual elements, and is timely."
Information sharing is a many-pronged process for the government. There are many groups of consumers for one agency's product, ranging from other federal agencies to private companies to foreign governments. There are multiple sources of information, including submissions from private firms, the intelligence community and law enforcement. And there are extensive concerns for privacy, protecting investigative techniques and guarding classified information.
Though federal offices like the Cybersecurity and Infrastructure Security Agency have been working to improve on all fronts, a recent inspector general's report found that the process was often too slow and sanitized, lacking in context for private firms to find much value.
Carnegie Mellon's CERT is a large research group affiliated with the university that frequently partners with the Department of Homeland Security, law enforcement and private sector. Touhill was named the new director on Wednesday.
Touhill went on to address the notion of defense forward, which federal agencies might need additional authorities, and why the private sector equivalent of "hack back" may not be a good idea.
"We've got the military with defend forward, but there's organizations like the FBI and Secret Service that have domestic law enforcement responsibilities. We probably need to think about how we interdict against cyber criminals inside the United States," he said, noting those authorities were a topic for Congress to consider this year and next.
"And further, when we do that right, then we won't have large companies saying 'hey, I want the ability to fire back against these targets that are coming into to us,'" he said. "That is a dangerous slope that we see some large companies saying that they want to do now, and we should do everything that we can to set conditions so that they don't feel like they have to do it."