DHS Sharing Classified Threat Information With Service Providers


The U.S. Department of Homeland Security is sharing classified information with managed services providers in a bid to strengthen the security of private sector owners of critical infrastructure.

Currently AT&T and CenturyLink are approved service providers under the agency's Enhanced Cybersecurity Services program, but the agency is seeking to establish ties with other MSPs, said DHS Assistant Secretary Andy Ozment of the Office of Cybersecurity and Communications, a division of the National Protections and Programs Directorate, responsible for ensuring the security and reliability of communications infrastructure.

Speaking at the recent annual Forum of Incident Response and Security Teams (FIRST) Conference in Boston, Ozment said past attempts to share data have been hampered by communication gaps making it the information unreliable and outdated. The direct link puts threat intelligence data in the hands of providers managing systems at private-sector businesses before criminals change their approach, he said.

[Related: Security Expert: Industry Is Failing Miserably At Fixing Underlying Dangers]

"We are threading the needle by engaging private-sector, managed security service providers by setting up this infrastructure to help them," Ozment said.

Under the Enhanced Cybersecurity Services program outlined by Ozment, the DHS guidelines require business owners to gain validation as a critical infrastructure entity. Service providers can get additional information to seek approval to offer cybersecurity services using intelligence data under the ECS program. The threat feed could be a win for service providers if they can gain approval without the government imposing too many restrictions on how the information could be used, service providers interviewed by CRN said.

President Obama issued an executive order on cybersecurity last year in response to cybersecurity legislation that failed to gain approval after it was widely opposed by privacy advocates and Republican lawmakers.  Privacy groups joined some technology industry luminaries who feared it could impose overarching surveillance powers while some Republican lawmakers opposed the measure, citing cost concerns associated with increased regulation. The Obama cybersecurity directive establishes voluntary guidelines for businesses in 16 critical infrastructure sectors, including manufacturing, agriculture, information technology, water and healthcare. Many of those sectors are midsize, private-sector businesses that rely on service providers to oversee critical IT systems, Ozment said.

"We’ve got the attention of large businesses and I see changes in how they run their operations but the small and medium will be a challenge to us," Ozment said.

The DHS is also developing sector-wide risk assessments in partnership with the private sector as part of implementation plans established by the National Institute of Standards and Technology. The NIST Cybersecurity Framework, a set of voluntary minimum security guidelines and related activities, were created under the Presidential Executive Order.  The order establishes priorities to strengthen five high-level security areas: identify, protect, detect, respond and recover. Some businesses have industrial control systems, specialized programs that monitor and control temperature, chemical mixtures and other sensitive internal processes that are in dire need of attention, Ozment said.

"The U.S. government now has a clear approach focused not on regulation, but cooperating with the private sector," Ozment said.  "We talked to regulators and don’t see a need for additional regulations at this time."

NEXT: Security Basics, Incident Response Sorely Needed