On Wednesday I testified before the U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection about information sharing.
U.S. Rep John Ratcliffe (R-TX), chairman of the subcommittee, and Congressman Jim Langevin (D-
That act eliminated many of the excuses for why companies don’t share cybersecurity information. It also directed the Department of Homeland Security (DHS) and other agencies to develop the means to share classified information with private companies.
In my testimony, available on the committee website, I focused on the need for the government to extend to the private sector a classified network for sharing threat information about critical infrastructure.
DHS, the FBI, and the intelligence community have done a commendable job of downgrading and distributing intelligence to the private sector. They do this through the Automated Indicator Sharing program, which has reportedly pumped out over 2,000 formerly classified indicators and the Enhanced Cybersecurity Services program, which shares classified indicators with managed security service providers to protect their users. And they do it through the “4b” process, named after section 4b of EO 13636, which mandates disclosure if government has information that a company is the target, or victim, of malicious cyber attacks.
Yet there will always remain information that cannot be declassified due to the need to protect sources and methods used to collect intelligence (in the digital game of shadows, there are advantages to be gained by not telling your adversary you are on to them).
As my fellow witness, American Express VP-Cyber Intel & Incident Response Ann Barron-DiCamillo noted, what unclassified indicators from government are missing is the context that can help network defenders figure out what to do with a given piece of information.
Sharing this context, and allowing government and private sector partners to collaborate on response, requires a separate, secure and classified network. The Defense Department has proven out the effectiveness of the model with its DIBnet program. It works. It is relatively inexpensive. It could be started with a small number of Section 9 companies that are ready, willing, and able to participate. Critical Information Network (CINET) would provide real value to network defenders; it could also lay the groundwork for solving a larger problem.
While sharing information is important, it is also a means to an end. That end is protecting networks from malicious actors. Information sharing aids detection and response but more can be done to keep malicious actors out of critical infrastructure in the first place.
The rationale that dictates keeping intelligence information protected on a separate network that provides higher degrees of assurance also holds for the operational data that keeps our critical infrastructure humming.
We should think about the value of CINET not just as a means to share cyber threat information but also as a secure network to which operational technology could be connected — separate and apart from the Internet.
This idea has received a boost from the National Infrastructure Advisory Council, which recently recommended the development of “separate, secure communications networks designated for the most critical cyber networks, including ‘dark fiber’ networks for critical control system traffic…”
A separate network for critical infrastructure with the same controls on who is authorized to access it, and the same technical controls as used to protect intelligence, would not be a silver bullet. The intelligence community’s struggles to address insider threats are testament to that fact. But the risk reduction that would be gained far outweighs the cost.
At the Global Resilience Institute we have begun what will be a multi-year effort to study the feasibility of CINET, design it, and pilot it in the greater Boston area. Stay tuned for further updates or reach out if you are interested in collaborating with us on this important work!