Although we often think about cybersecurity in terms of what federal, state, or local governments are doing to counter cyber threats, the private sector has a huge role to play as well. Over the past year, the National Fusion Center Association (NFCA) has been working closely with the International Association of Chiefs of Police (IACP) and the office of the Program Manager for the Information Sharing Environment (PM-ISE) to examine cybersecurity information sharing from many angles. Stakeholders from many communities, including law enforcement, homeland security, emergency management, and information technology (IT), participated in a series of events and new pilot projects are starting soon. The private sector’s feedback has also been critical in these initiatives, because they are often the frontline for cyber attacks.
Kicking Off the Discussion
In August 2012, the Northern California Regional Intelligence Center (NCRIC) held a roundtable for cybersecurity stakeholders that included representatives from the financial and IT sectors, as well as federal, state, and local officials. These participants identified two types of information sharing: fusion centers engaged in sharing tactical information on company or sector-specific situational awareness; and 2) fusion centers sharing strategic information on threats, risks, and trends through strategic forums that involve both the public and private sectors. IACP partnered with the Department of Homeland Security to facilitate a December 2012 roundtable to further clarify requirements for cybersecurity information sharing.
Cybersecurity Evaluation Environment Pilot Kick-off Event
Building on the momentum of the August and December events, the NCRIC and the IACP held the Cybersecurity Evaluation Environment Pilot Kick-off Event in February 2013. The first day of this two-day event focused on soliciting cybersecurity information sharing requirements from industry partners and developing potential federal, state, and local government processes for cybersecurity information sharing with the private sector. Participants also discussed government requirements for cybersecurity information sharing. On the second day, the government participants worked on the design of a “cybersecurity pilot” that would develop a fusion center cybersecurity information sharing capability.
View from the Private Sector Representatives from five San Francisco Bay area companies participated in the morning session on the first day of the Pilot Kick-off Event. The companies were from the financial and IT sectors, as well as public utilities.
Every private-sector participant viewed cybersecurity as one of their top threats. Specifically, the types of cybersecurity threats they most commonly face include distributed denial of service attacks, insider threats, malware targeting their human resources and supply chain systems, and phishing attempts.
They emphasized the need to address both the gray area and the time between when the government knows about a threat and when information about that threat is shared with the private sector. And, they felt it was equally important to share their information about threats and attacks with government entities.
Role of Fusion Centers Some private-sector participants noted the close partnerships with fusion centers and other contacts in state and local government, while others stated that they preferred dealing with federal partners. Those who preferred dealing with federal partners did so out of a belief that the federal partners would find their information more valuable and be able to apply greater resources toward handling and analyzing this information. One private sector participant opined that the financial industry builds “concentric circles of trust” among each other and extending outward to the federal government. These trusted relationships dramatically reduced the lag time between when the federal government perceives a threat and when it is shared with others in the financial sector. This participant also acknowledged that the circle of trust should expand to include fusion centers, and state and local governments; this expansion will require effort by both the private and public sectors to engage with each other.
Private-sector participants also stated that they may need cybersecurity information from sectors outside of their own traditional sector. For example, potential threats to power grids or other critical infrastructure could easily have significant effects across many different sectors. Working with local fusion centers could be an important way to facilitate this information sharing because of their physical presence within the communities that they serve.
Role of the Federal Government Other private sector participants urged the federal government to standardize cybersecurity threat intelligence data, make it machine-readable, and insist on a data exchange standard, such as the Structured Threat Information eXpression (STIX). Additionally, participants called for the federal government to provide explicit instructions for how the critical infrastructure/key resources sector should practice “cybersecurity hygiene,” such as instructions for identifying what to patch first and how a company or industry should prioritize their remediation based on their specific sector and the nature of the attack.
The Way Ahead
Planning is underway to organize and run a Cybersecurity Evaluation Environment Pilot in early 2014. This planning involves a host of stakeholders, including the federal, state, and local governments; fusion centers; law enforcement; homeland security; and cybersecurity organizations. We are also helping to fund and coordinate several information sharing pilot projects. If you have questions, please feel free to contact the PM-ISE or post a question in the comments.