DHS Pushes Cyberthreat Sharing, but Companies Unsure of Value
U.S. companies are struggling to find value in sharing cyberthreat information with the government—even as the Department of Homeland Security continues to promote its program, cybersecurity pros and former DHS officials told Bloomberg BNA.
Without stronger incentives, such as better liability protection for companies that share cyberthreat data, the DHS program is unlikely to significantly expand. Companies aren’t going to “give vulnerabilities away” without getting anything in return, Paul Rosenzweig, former deputy assistant secretary for policy at DHS and visiting fellow at The Heritage Foundation, told Bloomberg BNA.
The cyberthreat sharing program, enacted as part of the 2015 Cybersecurity Information Sharing Act (CISA) and operated out of the department’s U.S. Computer Emergency Readiness Team (US-CERT) division, aims to bridge the information gap between the federal government and the private sector.
DHS officials have recently advocated for more companies to join the program, specifically saying that too many companies take cyberthreat intelligence data from the government without sharing their own threat indicators.
DHS Acting Secretary Elaine Duke said at an Oct. 4 U.S. Chamber of Commerce cybersecurity event that companies need to view cyberthreat sharing as “herd immunity,” where sharing cyberthreat information not only helps one company but the whole industry.
CISA provides some liability immunity to organizations that share threat information with the government through proper protocols. However, beyond the limited liability protections, companies need to see a value, such as more actionable threat intelligence data and increased incentives, before joining the program, cybersecurity pros said.
Jamil N. Jaffer, director of the National Security Law & Privacy Program at the Antonin Scalia Law School at George Mason University, told Bloomberg BNA that the government must “pivot from the policy discussions to effectuating these goals.”
Companies would likely be more willing to share their cyberthreat indicators directly with the government “if they are assured they aren’t going to be regulated” based on what they share, Jaffer, who served as senior counsel to the House Intelligence Committee and associate counsel handing intelligence matters for former President George W. Bush, said.
Because the government—and especially the DHS—has “historically discussed their interest in regulating” cybersecurity, some companies hesitate to share sensitive cyberthreat information, he said.