Information sharing about cybersecurity threats has to go beyond fulfilling requirements and instead include informal relationships and discussions between agencies, according to government experts who spoke at the MeriTalk Cyber Security Brainstorm on Sept. 20.
“There are a lot of requirements that are in place today that mandate us to report and/or identify and share information either up to DHS to OMB or across the board,” said Department of Justice Chief Information Security Officer (CISO) Melinda Rogers. “But I think what can be most effective is an informal network that also gets established through knowing each other and through relationships. Ultimately as an agency, you get out what you put in.”
For example, Rogers said that she keeps up a policy of regular informal communication with Department of Homeland Security (DHS) CISO Jeff Eisensmith, just to make sure that she is staying on top of all the available threats.
“All the component CIOs, they see each other’s posture,” said Rogers. “That goes a long way in terms of, if somebody is doing particularly well, it’s at least a resource for another CIO to potentially pick up the phone and say ‘hey how do you keep your risk posture so low?’ So I think it allows us to have an informed discussion on risk management.”
“In the Federal CIO community, I don’t think there’s anything we don’t share and can’t share,” agreed David Nelson, CIO at the Nuclear Regulatory Commission. “I don’t think there’s an issue among those we know that we can trust.”
Rogers added that informal communications can be particularly helpful for quick responses to major threats, such as the recent WannaCry hack.
“If something is happening in real time I end up picking up the phone,” said Rogers.
According to Walter Rochmis, acting defense intelligence officer for cyber at the Defense Intelligence Agency, though intelligence agencies struggle more with what threat information they can share and how, communication between themselves and non-intelligence agencies is still highly important.
“We should be in the room; we should be sharing things to the extent that we can,” said Rochmis. “You need these organizations that have both the formal place, where everybody gathers and knows one another […] but also the administrative and logistical engine to help drive this stuff, because it does not sustain itself.”
Chris Chilbert, CIO for the Department of Health and Human Services Office of Inspector General, explained that inspector general (IG) departments should not be viewed as purely compliance-based either, as they can often provide broader insight into the security of an organization
“We view ourselves in the IG as sharing the initiative of the overall agency. They do look at compliance, but we’re also looking at things like penetration testing and indicators of compromise and vulnerability scanning,” said Chilbert. “Recognize that there is a capability within these IGs to provide, really, a kind of second look independently and help you understand where you may have some vulnerabilities.”
“It’s ultimately a balance,” said Rogers. “You have to be able to do both.”