US government not invited to Facebook鈥檚 ThreatExchange party
For months, senior Obama administration officials have been on a charm offensive to convince business leaders and security professionals to share more information about the cyberthreats with the government, trying to convince often-skeptical audiences at major industry conferences this year in听San Francisco 补苍诲听Las Vegas.听
Turns out, many in the private sector are actually on board with the idea of information sharing 鈥 just not, necessarily, with the government.
that more than 90 companies have joined its online community ThreatExchange to trade information about threats facing their networks.听But there鈥檚 one pretty obvious odd man out: The US government.
Though cyberthreat information sharing has been a major priority for the White House and many key lawmakers in Washington, government agencies are not part of ThreatExchange. In fact, those that have inquired have been explicitly told they are not invited to the information-sharing party.
"At this time, government agencies are not participating in ThreatExchange and will not, until there is legislation that clearly defines how information from sharing platforms can be used by these parties,鈥 Mark Hammell, manager of Facebook鈥檚 Threat Infrastructure team, told Passcode in an e-mailed statement.
Key flash points in the cybersecurity debate in Washington include finding ways to ensure companies have liability protection from such things as exposing customer and other potentially sensitive data to government agencies. Also, companies and privacy advocates want to ensure there are sufficient privacy protections in place as information passes from the Department of Homeland Security to other parts of the government, such as the National Security Agency.
These concerns have proven difficult to resolve on Capitol Hill. And even though the massive Office of Personnel Management breach compromised sensitive personal information from as many as 22 million people and sparked a firestorm in Washington, Congress left town for the summer without uniting to pass information-sharing legislation.
Facebook decided months ago not to wait for the government to start sharing.
"A common reason cited for organizations not to share information is liability coverage,鈥 Mr. Hammell told Passcode. 鈥淗owever, when we looked at the potential risk of sharing information like malicious URLs, domains, and malware families 鈥 the kind of information that enables you to identify abuse, the risk of not sharing is actually greater. Other types of information, including [personally identifying information], carry a much higher risk so they're not shared on ThreatExchange."
Think of ThreatExchange as cybersecurity social networking: Companies use ThreatExchange听to swap information with specific groups or the whole community 鈥 and likewise, search the hub for information about types of malware, and threat indicators such as attempted cyberattacks or IP addresses that could help them defend their networks.
Originally launched six months ago,听ThreatExchange boasts broad collaboration across the private sector, with major tech companies such as Yahoo, Microsoft, and Twitter joining forces with cybersecurity, insurance, financial services,听higher education, and defense companies. Facebook also unveiled Thursday a simpler and quicker application process for new participants, with an eye on bringing in retail, telecom, and business consulting partners. More than 11,0000 organizations have听already inquired about joining.
The platform is designed not to be a running feed of threat alerts, but to foster a collaborative exchange of commentary and discussion.
Facebook says it is open to participating in government initiatives. But Alex Stamos, Facebook鈥檚 new chief security officer, told reporters at the DEF CON hacker conference in Las Vegas earlier this month that it does not require new laws to share with industry partners. So ThreatExchange was able to move quickly 鈥 an average of 3 million interactions are already taking place every month on the platform, which is built on existing Facebook infrastructure and uses a set of application programming interfaces for companies to see available threat information.
Facebook's do-it-yourself attitude toward info-sharing听is similar to that of some听leading security听companies.
鈥淧rivate companies can do this on our own. We don鈥檛 need help from the government,鈥 Rick Howard, chief security officer of Palo Alto Networks, told Passcode听that aired this week.
His company cofounded the Cyber Threat Alliance with other cybersecurity companies, including Symantec and Intel Security. While Mr. Howard says he's open to the US government exchanging information with companies that could "supplement" their threat intelligence gathering, the point of the alliance is for the private companies to share intelligence with each other to help the community get better at detecting and fighting off attacks.
鈥淟et鈥檚 take the government off the table for a second. I absolutely believe that information sharing is the secret sauce to help all of us get ahead of the advanced adversaries,鈥 Howard said. 鈥淭here鈥檚 no reason we are not helping each other out with this.鈥 Perhaps another incentive for private companies to share amongst themselves?听There are doubts among many in the security community听that the government will actually be able to provide private companies useful, declassified intelligence about the threats it detects.
For its part, Facebook听looks forward to working 鈥渨ith other industry sharing communities to integrate ThreatExchange with existing workflows for easier, more complete sharing of available threat intelligence," Hammell said听.听
Looks like Washington will just have to wait.
听
