University Says Government's Pretty Terrible At Sharing Cyberthreat Information

from the welcome-to-Threat-Club dept

Mon, Apr 11th 2016 3:31pm — Tim Cushing

Multiple government agencies have gone all-in on cybersecurity. CISA was pushed through late last year -- dumped into the back pages of a "must pass" omnibus spending bill. Just like that, the government expanded its surveillance power and cleared its cyberthreat inboxes to make way for all the information non-governmental entities might want to share with it. It promised to share right back -- making this all equitable -- but no one really believed the government would give as much as it would take.

Right on cue, a university heavily involved in scientific research says the government really isn't interested in sharing information.

Virginia Tech is no stranger to hackers. Randy Marchany, the school's chief information security officer, says he assumes the attackers are already inside the networks. The university's attack space includes power generation networks, campus police databases, research files, student records and retail payment systems, among other sensitive digital operations, he said.

[...]

Marchany lamented what he says has been a growing trend during the last couple of years of the government restricting information about ongoing hack campaigns — information that could help his staff identify the suspicious activity they already glimpse on systems.

"The federal government now has this tendency to try to put a classified label on everything, and so I have to sometimes go to a dark room and have people hand me information that I can only look at," he said.

The government wants to have its secrecy and eat its portion of the "sharing" cake, too. Oh, it may be "sharing" in the sense that it's not completely withholding some information pertinent to its partners' interests. But it doesn't share information. It holds onto the information, delivers it only on its terms, and any entities it does decide to share info with should consider themselves lucky its hasn't decided the information is so "sensitive" as to be withheld completely.

Not only will sharing partners need to pass intrusive background checks and obtain security clearances, but they'll also need to have superhuman retention skills, seeing as they aren't allowed to make copies or view information for any longer than the government feels is necessary.

Marchany notes that information he's been allowed to glance at in underlit rooms has been useful in correlating unusual events witnessed on Virginia Tech's end, but still feels the government could do a much better job disseminating information.

This is what tech companies and other entities feared: that the government's idea of sharing was mostly one-way. Private entities would be considered too insecure to trust with the government's threat info, but are expected to pass along anything of interest to a government which has proven multiple times it's far less secure than its sharing partners.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, cyberthreat information, information sharing

13 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Capt ICE Enforcer, 11 Apr 2016 @ 3:44pm

Comparing Apples to Apples
Well. Gosh the government seems to have no problem sharing Apples security flaws with iPhone. Oh wait....
[ link to this | view in chronology ]
PlagueSD (profile), 11 Apr 2016 @ 4:06pm

Government is terrible at sharing pretty much everything!!!
[ link to this | view in chronology ]
Anonymous Coward, 11 Apr 2016 @ 5:05pm

Which brings the question given the bad faith the government has displayed as to why anyone would want to share data with them.

This points at part of the root of why the tech companies don/t trust the government and why the government is having such a hard time recruiting new members out of the tech fields.

You sow what you reap.
[ link to this | view in chronology ]
- That One Guy (profile), 11 Apr 2016 @ 10:22pm
  
  Re:
  Which brings the question given the bad faith the government has displayed as to why anyone would want to share data with them.
  
  "Now see here's how it's going to work. You can provide us with that data voluntarily, or we can come back with a 'court' order and a gag clause and you can hand it over anyway. Little head's up though, if we have to leave and come back, we're not going to be in the best of moods, just something to think about."
  [ link to this | view in chronology ]
Anonymous Coward, 11 Apr 2016 @ 5:23pm

Reciprocity
Reciprocity is the true definition of sharing. Share with those you trust and will respond in kind, the rest can figure it out themselves.
[ link to this | view in chronology ]
Jeffrey Nonken (profile), 11 Apr 2016 @ 9:19pm

I guess it's time for a non-governmental clearinghouse, since the government won't do it. Obviously said clearinghouse won't want to share with the government, so the government will be cut out of the loop... and then will complain loud and long about the selfish citizenry.
[ link to this | view in chronology ]
Anonymous Coward, 11 Apr 2016 @ 10:05pm

"The university's attack space includes power generation networks"

If the power generation network is on the Internet they're doing it wrong.
[ link to this | view in chronology ]
- klaus (profile), 12 Apr 2016 @ 2:15am
  
  Re:
  "Randy Marchany, the school's chief information security officer, says he assumes the attackers are already inside the networks."
  
  I'm reading it differently, that the CISO sees the threat as being internal, already on campus.
  [ link to this | view in chronology ]
- Anonymous Coward, 12 Apr 2016 @ 7:59am
  
  Re:
  Maybe the author confused PoE for actually power generation. I am not sure why you would even want to have backup generators on the network.
  [ link to this | view in chronology ]
klaus (profile), 12 Apr 2016 @ 2:16am

The Problem in One Word...
Overclassification.
[ link to this | view in chronology ]
Anonymous Coward, 12 Apr 2016 @ 2:28am

Information sharing is hard even IN universities
I recently left a position at a large public university with multiple campuses. One of those campuses suffered a major, well-publicized breach a few years ago...so naturally I reached out (a) to offer help and (b) to get details, so that I could make sure my operation wasn't vulnerable to the same problem.

Response: "We're not allowed we can't it's confidential security policy blah blah blah".

Pointing out that we work for the same university had no impact. Pointing out that at least one (and probably more) bad guys already had the info had no impact. Pointing out that as bad as one breach was, having two or more happen the same way would be worse had no impact.

I gave up after a year of trying.
[ link to this | view in chronology ]
dcfusor (profile), 12 Apr 2016 @ 8:32am

Power generation at VA Tech
I live nearby, and have employed techies from there from time to time in the past. The place has a midsized power plant for educational and co-generation for the campus and surrounding town. Not a gigawatt class thing, but pretty large - the townies paid lower prices for power than most on the grid. I assume at least monitoring is on their LAN, if not more, as part of the program.

I have not been real impressed with Tech's tech, FYI. Sure they have a few brilliant people, but the average?

A professor of mech engineering pulled his wife's Volvo in half while towing it up the hill in the snow with his tractor. They stopped in front of my house, he let the tractor roll back a bit while they discussed, and when he got back on, he forgot about slack in the chain, popped the clutch, and bang - while we watched through our greenhouse window. They were even more upset at hearing us laughing maniacally.
[ link to this | view in chronology ]
Anonymous Coward, 12 Apr 2016 @ 9:36am

...why would anyone expect something different? The entire effort by the government in the past couple years has been to introduce backdoors into all computer systems. Since they haven't managed to legally enforce this, why would they give up information on the backdoors that they already know about? Allowing people to fix said doors is directly against their goals.
[ link to this | view in chronology ]