Stanford CIS

Information sharing to the cyber-rescue, again!

By Richard Forno on

Yesterday, news emerged (or was officially leaked) that the President will announce an initiative designed to bolster American Internet security: the Cyber Threat Intelligence Integration Center. Based on the post-9/11 designed National Counterterrorism Center (CTC), this new organization purportedly will serve as an 'intelligence fusion center' within the Office of the Director of National Intelligence and work with the private sector in developing and sharing information and analysis related Internet security threats, vulnerabilities, trends, and situational awareness.

Clearly, recent Internet security events - Anthem, Target, or Home Depot, among others, coupled with the ongoing controversies in enacting new cybersecurity legislation such as CISPA - are the driving factors behind the President's announcement.  Of course, Sony's high-profile (yet potentially self-inflicted) cyber-victimization last year continues to be invoked as a significant reason for the government's need to "do something" in response to ongoing and high-profile Internet security incidents, too.

However, the President's proposal appears to be little more than another public-private 'information-sharing' initiative that reflects Washington's preferred method to look like it's improving Internet security that dates back to 1998 with PDD-63 and establishing the National Infrastructure Protection Center within the FBI.  While there's always hope such initiatives will indeed lead to more consolidated, streamlined, and actionable analysis and information coordination, history suggests that's not necessarily the likely outcome and this new organization in all probability will be the latest addition to the patchwork of overlapping information-sharing bureaucracies already in existence.

Truth be told, whenever I see a new information-sharing (or Internet security enhancement) proposal emanating from Washington, I'm reminded of a scene from the classic BBC series 'Yes Prime Minister' -- to get the full effect, replace "Prime Minister" with "Washington" and substitute "reduce unemployment" with "improve Internet security":

Sir Arnold: I presume the Prime Minister is in favour of this scheme because it will reduce unemployment?

Sir Humphrey: Well, it looks as if he's reducing unemployment.

Sir Arnold: Or looks as if he's trying to reduce unemployment.

Sir Humphrey: While as in reality he's only trying to look as if he's trying to reduce unemployment.

Sir Arnold: Yes, because he's worried that it does not look as if he's trying to look as if he's trying to reduce unemployment.

Nevertheless, Washington continues to view "information sharing" as the silver bullet panacea that will automagically lead to effective Internet security improvements -- just throw enough such initiatives out there over time, and one of them just has to solve the problem, right? After all, such centers are fairly easy to setup, not that expensive to run, and demonstrate the politically expedient values of industry-government cooperation on a high-profile public issue. Not to mention, 'cyber watch centers' make great photo op venues for politicians to show how committed they are to improving Internet security when making speeches about technology security -- following the next major Internet security crisis, of course.

This proposal, as we know it at the moment, raises several questions:  As media reports (here and here) note, isn't this what the 'cyber' element of DHS was supposed to do?  What about potential overlap with FBI, NSA, DHS, DOD, DOJ, and other entities viz-a-viz the success (or lack thereof) of their similar and overlapping capabilities? What changes, if any, regarding how information is treated (think: over-classification) will take place and facilitate a more effective outcome?

Regardless, if history is any guide, I fully anticipate proponents to ignore those matters while marginalzing any annoying questions regarding oversight, accountability, privacy, and data retention.

As we've seen with the fusion centers rolled out in recent years to "protect the homeland" from terrorism, such operations are ripe for abuse in data collection, questionable generalizations in developing indications and warning (I&W) alerts, over-reach of statutory authorities, and infringing upon civil liberties.  However, I expect the usual coterie of ex-government 'cyber experts' to fully support this initiative, as will many in Congress (for any number of real or perceived reasons as I discussed last month) even though it's reported that Congress was barely, if at all, consulted before yesterday's announcement/official leak.

It's still early, but I am skeptical, if not borderline cynical, about this latest 'cyber' initiative's role in actually improving Internet security.