Corporations will be asked to contribute cyber intelligence to a new federal agency tasked with analyzing threat data culled from as many public and private sources as possible in order to more quickly spot attacks and attribute them to the guilty parties.
President Obama has announced formation of a new agency - the Cyber Threat Intelligence Integration Center (CTIIC) that will gather data broadly and scrutinize it so the U.S. has a single analysis of cyber incursions, a lack that complicated and delayed the administration's response to the Sony hack.
The 50-person, $35 million agency will cull data from federal sources the CIA, FBI and NSA but will also rely on data that corporate security pros gather in their day-to-day work protecting private networks.
While the administration can set up the CTIIC without authorization from Congress, requiring private industry to contribute requires new laws that have already been proposed.
But the cost of sharing this information is one factor businesses will worry about. "No business will spend money to give CTIIC data from a sense of national pride. There will either need to be a motivating carrot or a regulatory stick," says Jonathan Sander, the strategy and research officer for STEALTHbits. He says security pros all agree sharing this data results in quicker and better responses to attacks, "But the security community doesn't write the budgets."
Another concern is that it will be hard to staff the CTIIC, given that the needed talent is limited and "those with the requisite skills can make much more in the private sector," says Ken Westin, a senior security analyst forTripwire.
Private organizations already have back-channels for sharing this type of data, says Stephen Coty, chief security evangelist for Alert Logic, usually made up of the major players in given industries, such as finance. Just as preserving confidentiality is important to these ad hoc groups, it will be of concern to businesses sharing with the government, he says. For example it's OK to say "Here's the details on a phishing campaign levied against a U.S. bank," but not OK to mention the bank's name, particular IP addresses attacked and the like.
Obama has proposed information-sharing laws that would protect private entities from legal and regulatory action for turning over cyberthreat indicators to the federal government. A group including representatives of the departments of Justice, Homeland Security, Defense, Commerce would set up policies for retaining and destroying this threat information depending on whether it meets the criteria set down in the law. The group would also set guidelines for anonymizing data included in these threat indicators.
Sign up for CIO Asia eNewsletters.