NSA technical director: Sharing hacker information isn’t enough, we need a shared response – CyberScoop

The nature of cyberthreats aimed at both the U.S. government and private American companies calls for a dramatic shift in how the larger cybersecurity community shares information about hackers and collectively responds to attacks, said Neal Ziring, technical director for the NSAs Capabilities Directorate.

While raising the awareness of what different hackers and foreign intelligence agencies are doing in cyberspace remains essential, Ziring said, its simply not enough based on the level of danger and activities occurring today.

The next and necessary step is the development of a shared, public-private framework in the U.S. that can roll out software patches and other system updates at machine speed to individual researchers, industry and the government as soon as new intelligence become available, according to Ziring and Thomas Donahue, director of research at the Cyber Threat Intelligence Integration Center. They bothspoke Thursday at a cybersecurity conference in D.C.

The big thing for me is that information sharing by itself is not enough. We need to start establishing the infrastructures, the standards, the practices for shared response, Ziring said. Todays actors can be really successful because they develop this tradecraft and they get to use it over and over and over again and they advertise the investment in this tradecraft as monetizing it against lots of targets. Thats what we need to take away from them. And the only way to do that is to have a response that can be shared amongst all of us.

Zirings plan is to essentially democratize cyberthreat intelligence and make it actionable for a myriad of different U.S. partners. The market today leans on a model inwhichprivate companies acquire and sell proprietary research only to clients, keeping much of what they find accessible only to customers.

While the Homeland Security Department has helped pioneer the development of several different cyberthreat information sharing programs, a response framework like the one described by Ziring does not exist today.

With

as the new normal setting for decision making, we must improve our awareness of the infrastructure and activities of our adversaries because it is poor, our ability to respond to specific incidents is way too slow and our strategic response to that kind of behavior is at best nascent and weak, said Donahue.

At the moment, a private, nonprofit organization named the Cyber Threat Alliance, or CTA , offers perhaps the closest model to what Ziring is proposing.

The CTAs move to an incorporated entity signifies the commitment by industry leaders to work together to determine the most effective methods for sharing automated, rich threat data and to make united progress in the fight against sophisticated cyber attacks, the organizations website reads.

Founded in 2014, the CTA is exclusively comprises prominent, private sector cybersecurity firms, including Fortinet, Intel Security, Palo Alto Networks, Symantec, Check Point and Cisco, whocollectively pool threat intelligence and code-based countermeasures. Companies provide this information at-will and in good faith.

Zirings comments come nearly one month after former NSA Director Keith Alexander told senators that the U.S. government would be wise to reorganize current cybersecurity responsibilities, which are split between the FBI, Homeland Security Department, Defense Department and intelligenceagencies, into a single entity. Alexander said that this new organization would lead the efforts to develop constructive relationships with private digital security companies.

More:
NSA technical director: Sharing hacker information isn't enough, we need a shared response - CyberScoop