Feds to share cybersecurity threat info with businesses
WASHINGTON -- The Homeland Security Department on Thursday formally began sharing details of new digital threats with private business and other government agencies, a culmination of a longtime effort to improve cybersecurity.
"This is the 'if you see something, say something' of cybersecurity," said Homeland Security Secretary Jeh Johnson at the agency's Virginia-based data sharing hub, the National Cybersecurity and Communications Integration Center.
A federal law passed at the end of 2015 was intended to encourage corporations to share information about cyberthreats, making it harder for businesses to be targeted by threats used elsewhere.
The program is voluntary, and the number of companies that will participate or how effective the program will be remains unclear.
Companies have long been reluctant to acknowledge security failures. As of Thursday, about six organizations had signed up and others have expressed interest, Andy Ozment, the assistant cybersecurity secretary at Homeland Security, said. The names of companies participating are closely held, and records about their involvement are exempt from disclosure under the Freedom of Information Act.
"This is a big deal," he said. "We're not going to launch out the gates ... and have thousands of companies sharing all sorts of information. We want to make sure we're providing value and growing."
Under the new law, the Homeland Security Department programmed its systems to remove personally identifiable information that might be included that private companies might share.
"As companies come on board, we'll learn more about what's useful," and learn to streamline other parts, said Suzanne Spaulding, a top Homeland Security cyber official.
If information pertains to a specific threat of economic damage, death or serious injury or the effort to prosecute or prevent the exploitation of a minor, personal information may be passed on to other agencies.
Information sharing and analysis centers, which industry groups operate, will likely participate in the new program, DHS officials said. Johnson said he was telling such groups, "We are open for business, on time and on schedule."
Rep. Michael McCaul, R-Texas, chairman of the House Committee on Homeland Security, praised the new effort following recent hacks against Sony Pictures Entertainment Inc. and the Office of Personnel Management. More than 21 million Americans had their personal information stolen in the OPM hack, which the U.S. believes was a Chinese espionage operation.
As cybersecurity experts pointed out to CBS News in the wake of the Sony hack, it's essential for companies and federal agencies to develop protocols to spot breaches early and act on them as quickly as possible.
"Organizations need to implement strategies, policies and technologies that allow them to detect these breaches when they occur, because then they can actually mitigate them," said Shawn Henry, president of the services division at CrowdStrike and former executive assistant director at the FBI. "If it goes on for months at a time that an adversary is inside the network, that's where serious damages can occur."