The Department of Homeland Security is offering a simple message to state and local governments when it comes to cybersecurity threat information sharing — there’s nothing to be scared of.
At the National Association of Counties’ legislative conference Friday, Mike Echols, director of the department’s cyber joint program management office, implored the state and local IT leaders in attendance not to be afraid of the federal government’s information sharing efforts and start engaging with them to better protect the nation’s networks.
“Our information sharing is broken, but we’re working very hard to fix it,” Echols said.
Since President Barack Obama issued an executive order last year promoting the value of information sharing, Echols said he’s been trying to break down the layer of mistrust that still exists about the information sharing and analysis organizations — called ISAOs — DHS is trying to set-up around the country.
Though Echols believes he’s made some progress in that process of encouraging collaboration so far, he said he still encounters mistrust from IT policymakers at all levels.
“People say to me, ‘You’re just setting up these ISAOs so you can pass all the information to the NSA,’” Echols said, adding that the ISAOs are designed to be independent of DHS and transparent for the companies, local governments or other organizations that join them as members. “When these ISAOs share information with the federal government, it’s going to be anonymized. We don’t need to know who it is that’s sharing that information unless they choose to.”
In fact, Echols estimated that all governments and private sector companies could prevent 80 percent of all the breaches they see, if only they followed the standards the feds have developed and had access to more information about cyberthreats.
While he acknowledged that not every locality or company boasts comparable resources to the largest states or businesses, he still believes security officials nationwide could benefit from improving their “education level.”
Echols also charged that many governments still seem to be waiting for the private sector to develop a cyber “silver bullet,” a development he doesn’t find especially likely.
“Everybody’s looking for the Mandiants, and the Apples and the Googles, and the Microsofts to come up with a silver bullet,” Echols said. “We work with all of those of companies, and we can tell you that that’s not going to happen. This only happens through a partnership, and we’re going to work very hard to make the partnerships between government and corporate, and now we’re working hard to make the partnerships federal, state, local.”
For states and localities, Echols thinks the key is building relationships with federal entities during the quiet times so that they can help respond more quickly to any breach or other crisis. In particular, he pointed to the FBI field offices around the country, the Multi-State Information Sharing and Analysis Center and the DHS National Cybersecurity and Communications Integration Center — or NCCIC — as especially helpful resources.
As an example, Echols cited the ransomware attack at a California hospital as the type of cyber crisis that would make these relationships critical.
“Once we start talking to each other and building these relationships, once something like a ransomware issue happens, immediately you’re talking to the FBI, you’re calling the NCCIC,” Echols said.
Overall, Echols stressed that the department’s ultimate goal was to reduce the “cascading effects” of cyberattacks, and improve the nation’s network resilience. If states, localities, and businesses start sharing more information, he thinks those goals are within reach.
“If you’re protecting your network, and the federal government is doing our part and standing there as your backstop, the whole nation becomes more resilient,” Echols said. “It’s an easy equation, but it’s very hard to do.”
Contact the reporter at firstname.lastname@example.org, and follow him on Twitter @AlexKomaSNG.