While there has not been an avalanche of support to start out, the Department of Homeland Security (DHS) started sharing cyber threat data with federal agencies and private companies in accordance with a major cybersecurity bill passed last year.
“This is the ‘if you see something, say something’ of cyber security,” Homeland Security Secretary Jeh Johnson said in a talk at the agency’s data-sharing hub in Northern Virginia, the National Cybersecurity and Communications Integration Center (NCCIC).
The NCCIC will receive data on possible cyber threats from program participants, scrub it for personal information and disseminate it.
The goal of the new law, the Cybersecurity Act of 2015, is to help defend against cyber attacks by boosting information sharing between private companies and the government.
The program is voluntary, and how many companies will participate, we well as how useful the information will be, remains unclear.
Approximately six organizations had signed up as of Thursday, with others expressing interest, said assistant cyber security secretary Andy Ozment.
“This is a big deal,” Ozment said. “We’re not going to launch out the gates … and have thousands of companies sharing all sorts of information. We want to make sure we’re providing value and growing.”
The bill requires any personally identifiable information shared through the program to directly relate to a cyber security threat, a safeguard meant to protect citizens’ privacy.
But whether the government can end up trusted to adequately protect the information it receives and shares was a major sticking point in the passage of the bill, and a recent internal review of the DHS’s threat-sharing system cast some doubt on its adequacy.
Despite safeguards to prevent personally identifiable information from releasing, there is a “residual privacy risk these processes may not always identify and remove unrelated [personal information], thereby disseminating more [information] than is directly related to the cybersecurity threat,” the internal DHS report revealed.
The system is ultimately intended to be fully automated, though right now some data still requires human attention.
If a field contains information the system doesn’t recognize, it will flag it for a human analyst who can determine whether it contains personal information before it is shared.
“As companies come on board, we’ll learn more about what’s useful,” and how to more effectively streamline the process, said Suzanne Spaulding, a Homeland Security cyber official.