Government’s efforts to raise the standard for cyber security with new threat sharing regulation still problematic

In response to unprecedented cyber-attacks in the past few years including breaches of the Office of Personnel Management, IRS, Federal Reserve, and now the DNC, plus rampart industrial espionage targeting United States industry, the federal government has issued a new law and regulation that seek to tighten cybersecurity in the United States and change the way the nation shares threat information.

The Cybersecurity Act of 2015, which was signed into law on December 18, 2015, is a first step by the federal government toward partnerings private and government industry to address the cybersecurity threat.  The act seeks to align private industry and domestic nonfederal entities into a federal information sharing initiative focused on sharing cyber “threat indicators.” To complement the Cybersecurity Act, the government today issued a new FAR regulation (48 C.F.R. Part 4.19) that establishes minimum safeguarding information system requirements for federal contractors.    

{mosads}These changes in the law for federal contracts provide insight into the U.S. federal government’s goals to regulate the patchwork public and private information sharing industry. Understanding the goals of the Cybersecurity Act and the new FAR regulation on information systems are important to prepare for the future of the industry.

By sharing threat indicators, the federal government hopes to encourage the voluntary exchange of cybersecurity threat information between the private sector and the federal government in a system of real-time notification. The Department of Homeland Security (DHS) has already implemented a method to accomplish this called the “Security Cyber Threat Indicator and Defensive Measures Submission System.”

A collaborative approach to defending against cyber-attacks is necessary as attacks have pivoted to targeted malware that is becoming increasingly more sophisticated. However, there are two problems with the government’s approach. First, threat indicators only tell a small portion of the entire story needed to protect against similar attacks in a community. Curated intelligence, or the full behavior pattern of attack (POA) is necessary to empower defenders to close a vulnerability to future infection. The Cybersecurity Act only tells the beginning of the story, when what we need is the entire novel.

Second, the DHS expects to receive and share a vast amount of data under the Cybersecurity Act, but recent breaches of federal systems have shown that trusting the federal government to protect data is a risky affair. To address this, security controls for the handling and retention of sensitive data must be strengthened in both the public and private sectors. Otherwise, the Cybersecurity Act could create an Achilles heel of vulnerability.      

To address the weaknesses in current cybersecurity controls, the Cybersecurity Act instructs governmental and private entities to review cyber-threat indicators and related information to identify whether such information contains personally identifiable information (PII) and to remove PII prior to sharing. Because sharing threat indicators is a “pay to play” or voluntary collaboration in which a company must share in order to receive, some companies may not join the collective for fear that their information will be misused.    

While the federal government is thus faced with these challenges in its efforts to improve cybersecurity via threat sharing, the private sector is increasingly better equipped to collectively share such information. A system where members collaborate and comment in real time on threats as they develop would provide a more robust and secure solution to the problem. Such an effort should focus on patterns of attack – which identify the behavior, techniques and tactics of the attacker. Patterns are far more difficult for an attacker to change than indicators and provide a deeper level of insight for cybersecurity professionals.  

While the new FAR regulation does not require compliance with NIST standards at the moment, it mirrors many of the security requirements listed in NIST SP 800-171 and lists 15 minimum mandatory security controls. Government contractors will need to carefully review their systems to ensure that this higher standard of cybersecurity is met. Some of the key controls required by the new regulation are as follows:

• User auditing and compartmentalization of access to only authorized transactions.

• Separation of public systems from internal networks.

• Monitoring, controlling and protecting organizational communications at the “endpoint” – or the external boundaries and key internal boundaries of the information system.

• Identifying, reporting and correcting information system flaws in a timely manner.

• Implementing protections from malicious code at the endpoint.

• Periodic scans of the information system and real-time scans of files from external sources.

The government’s focus on safely sharing pertinent threat information is an important first step in establishing a stronger security posture for organizations. However, the concerns against sharing threat information with the government and the minimal use that threat indicators will provide may prevent many companies from joining the government’s exchange.  Fortunately similar efforts from private industry may sprint where the public sector stumbles.       

O’Neill is a former FBI counterintelligence operative and currently national security strategist at endpoint security firm Carbon Black.