Sharing Classified Cyber Threat Information With the Private Sector

Introduction

The U.S. government and private industry have been stuck at an impasse concerning cybersecurity information sharing for over a decade. While the Barack Obama administration rolled out executive and legislative efforts to increase information sharing, many U.S. companies still argue that the federal government should do more to provide them with useful intelligence on cyber threats. But the U.S. intelligence community argues that greater declassification and sharing of information with private companies could put technical sources and methods at risk.

Robert K. Knake

Whitney Shepardson Senior Fellow

Fixes to this problem exist. The Department of Defense already provides a classified network for cleared defense contractors to receive intelligence on threats to their companies. Replicating this network for cyber threats has long been discussed as a way to share more information with the financial sector, electricity suppliers, and other private-sector entities critical to the U.S. economy.

Expanding this network requires increasing the number of cleared personnel and of facilities that can hold classified information, as well as changing intelligence collection priorities. These hurdles can be addressed by cooperative efforts between the public and private sectors. As a crucial first step, the U.S. government should begin the targeted collection of intelligence on cyber threats to critical infrastructure. To disseminate this information, the government should establish security standards different from those applicable to defense contractors to determine who may hold clearances.

A System Built for a Bygone Era

Information sharing has long been viewed as crucial to cybersecurity and as an area in which the government can play a significant role. If indicators of malicious activity are shared whenever and wherever they are detected, attackers will no longer be able to reuse the same methods against different targets.

The Obama administration and Congress worked together to eliminate perceived barriers to information sharing among private companies, for example through Department of Justice and Federal Trade Commission policies that addressed concerns that sharing information among competitors could violate antitrust law. Obama used executive orders to promote the creation of organizations tasked with centralizing private-sector information-sharing efforts and establishing channels with the federal government. Finally, the Cybersecurity Act of 2015 provided liability protections for sharing cybersecurity information among private companies.

Far less successful were efforts to share government information with the private sector. The federal government has the authority and capability to collect intelligence that no private company possesses. The National Security Agency (NSA) intercepts foreign communications and breaks into the computers of foreign adversaries to understand their intentions, identify the infrastructure they use, and analyze their attack tools. The FBI and U.S. Secret Service have similar authorities and capabilities domestically. Yet disseminating collected information outside the intelligence community remains time-consuming and difficult. Information either needs to be declassified to be shared or can only be shared in in-person briefings with the small number of individuals at private companies who have clearances. When such information is shared, the private sector often views it as irrelevant because the actors targeting private critical infrastructure firms may not be the same as those targeting government agencies or the military.

The federal government’s Enhanced Cybersecurity Services (ECS) program intended to address the declassification issue by providing classified information to private security service companies that would then block malicious traffic on behalf of their clients without publicly exposing the classified threat information. This program was established in 2012, but adoption has been slow, owing in part to its black box nature: companies enrolled in ECS have no way of knowing what the provider blocked or why it blocked it. The Automated Indicator Sharing program, meant to provide unclassified reciprocal sharing of indicators of malicious activity, also has seen low adoption, with only approximately 130 companies using it. This is likely because the government does not have a competitive advantage in disseminating unclassified indicators, which can be obtained from intelligence collection, gathered from open source, or purchased from third parties.

For the government to provide greater value, it should prioritize collecting intelligence on threats to private companies, particularly critical infrastructure operators, and amend its processes for disseminating that intelligence. The U.S. approach to intelligence collection traces back to the post–World War II era, when only government officials had access to intelligence, most of which was focused on foreign adversaries, namely the Soviet Union. The approach changed to include nonstate terrorist actors after 9/11, but it has not stayed up-to-date with the threat of cyberattacks on the private sector. To make cyber threat information sharing relevant to critical infrastructure operators, the private sector should play a role in setting U.S. intelligence requirements and priorities.

Challenges

The Department of Defense runs DIBNET-S, a classified network for defense contractors to receive intelligence on threats to their companies. Creating a similar program for other critical infrastructure sectors, run by the Department of Homeland Security (DHS), faces a number of challenges.

The network would require a massive expansion of the number of people with access to classified information. Already, some five million Americans have security clearances, and an enlargement of access could potentially lead to the release of classified information, similar to what happened in the cases of Chelsea Manning and Edward Snowden. However, those and other incidents led the U.S. government to tighten access to classified information, moving from a “need to share” standard to a “need to know” standard, which requires both the appropriate level of security clearance and a valid reason for accessing classified information. A network to protect critical infrastructure will need to fall within these guidelines, transmitting only intelligence relevant to defending against cyberattacks to those with a need to know and implementing best practices for insider threats.

The effort will also require the U.S. government to set security clearance requirements that companies outside the defense industry will be able to meet. These requirements need to address the persistent issue of foreign ownership and control. Many critical infrastructure companies are owned by foreign investors, a red flag for granting clearances under the current rules. Similarly, many CEOs of U.S. companies, even those who are U.S. citizens, are unwilling to submit to the background check process.

Further, clearing more individuals will exacerbate the existing security clearance backlog. DHS needs to pay the Office of Personnel Management for each clearance it grants to private-sector individuals. Clearing hundreds more personnel in financial institutions, electricity providers, and other critical infrastructure organizations would strain the DHS budget unless additional resources are provided.

Having the government spy in support of private companies, even to protect critical infrastructure operators, could set a dangerous precedent. The United States has promoted a norm that state-sanctioned espionage should not aid the commercial interests of private companies, most recently in a 2015 agreement with China. The U.S. government will need to find a way to differentiate between using state assets to collect trade secrets and intellectual property for competitive gain and using the same assets to spy on foreign governments or criminal groups to protect critical infrastructure operators against cyber threats.

Many in the intelligence community will contend that they are neither authorized nor resourced for this mission; instead their mandate is to inform national security decision-makers, not to provide intelligence and warnings to critical infrastructure operators in the private sector. Yet long-standing policy suggests otherwise. U.S. intelligence collection priorities are governed by Executive Order 12333, which gives the president the responsibility to set intelligence priorities, collect information about foreign threats, and conduct activities to mitigate them. The order also states that national intelligence efforts should consider the requirements of “private-sector entities,” as appropriate. It is also worth noting that the U.S. intelligence community has had a long-standing collection requirement to target criminal groups involved in the drug trade; thus, collecting on criminal threats to critical infrastructure beyond nation-states has precedent.

Even if concerns over authorization can be addressed, resource constraints will remain. The government will need to determine which companies it will spy for, and what priorities this effort will displace. Existing policy can serve as a guide. Under section nine of Obama’s Executive Order 13636, the secretary of homeland security maintains a list of “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” Initially, the intelligence community’s efforts to provide information to private companies should focus on this list of companies. Determining what activities to displace in favor of this project will be a considerable effort.

Recommendations

A national classified cyber information-sharing network between the federal government and critical infrastructure companies is necessary to make the public-private partnership on cybersecurity work in the interests of both parties. Most of the responsibility for making such a network successful rests with the Donald J. Trump administration, which should consider the following recommendations.

Make cyber threats against critical infrastructure companies a priority across the intelligence community. The Trump administration needs to ensure that the intelligence community’s collection priorities include cyber threats against critical infrastructure companies. The director of national intelligence should appoint a National Intelligence Office for Critical Infrastructure responsible for ensuring that the intelligence community provides necessary intelligence to the private sector. Once prioritized appropriately, DHS, in coordination with sector-specific agencies such as the Treasury Department, should solicit intelligence requests from critical infrastructure companies. These requests will be validated and passed to the Cyber Threat Intelligence Integration Center, and then sent to the NSA, CIA, and other intelligence agencies for collection. The validation process should prevent the government from being used by private companies to collect intelligence for purposes other than securing infrastructure against threats to national security.

Revamp security clearance rules. The secretary of homeland security should accelerate efforts to write rules granting clearances to non-defense companies, which have languished since 2015. The new requirements should give the secretary of homeland security unambiguous authority to determine which facilities in private companies can be cleared for holding classified information and which personnel should receive clearances. These requirements should not require the chief executives or board members of companies to be cleared or to be U.S. citizens.

Accelerate private-sector security clearance approvals. The federal government should move to rapidly clear members of cyber intelligence units at the critical infrastructure companies identified pursuant to section nine of Executive Order 13636. DHS has already identified them as critical to national security, making it logical that they be first in line to get their clearance applications processed.

Establish a pilot program that leverages existing company background checks. Corporations expend significant effort to conduct their own background checks, part of which is duplicated in the government clearance process. Moreover, many leading private-sector companies are establishing insider threat programs to monitor employees in sensitive positions. Over time, a pilot program established by DHS could provide insight into expediting the clearance process and facilitating continuous monitoring to ensure the protection of classified information.

Allow DHS to charge and retain fees to cover the cost of expanded private-sector clearances. DHS already has the authority to charge companies fees that fully cover the cost of processing security clearances for personnel and facilities, but it would not have the authority to retain those funds unless Congress specifically granted it. For other missions, DHS already collects more than $15 billion in fees across thirty-eight programs, ranging from the Global Entry program to inspecting agricultural goods at the border, which cover approximately a quarter of its total budget. If Congress is unable to act, DHS should explore entering into an agreement with one or more private contractors that would directly charge companies to cover the costs.

Conclusion

Although building a national classified cyber information-sharing network and expanding clearances introduce vulnerabilities, the potential benefits to national security outweigh the risks. Critical infrastructure companies cannot be expected to protect themselves from adversarial nation-states without federal assistance. The U.S. government has experience running successful classified information-sharing networks, such as the one for the defense industrial base. It is time it did the same to protect financial, energy, and other private-sector companies critical to the functioning of the U.S. economy.

This Cyber Brief is part of the Digital and Cyberspace Policy program. The Council on Foreign Relations takes no institutional positions on policy issues and has no affiliation with the U.S. government. All views expressed in its publications and on its website are the sole responsibility of the author or authors.