New cyber brief proposes network for sharing cyber threat information with private sector

The Council on Foreign Relations (CFR) Digital and Cyberspace Policy Program recently released a new cyber brief, which argued that the U.S. government should create a classified network for sharing information on cyber threats with certain private companies.

“The U.S. government and private industry have been stuck at an impasse concerning cybersecurity information sharing for over a decade,” author Robert K. Knake wrote in the brief. “While the Barack Obama administration rolled out executive and legislative efforts to increase information sharing, many U.S. companies still argue that the federal government should do more to provide them with useful intelligence on cyber threats. But the U.S. intelligence community argues that greater declassification and sharing of information with private companies could put technical sources and methods at risk.”

Knake, a senior fellow for cyber policy at CFR and a senior research scientist at Northeastern University’s Global Resilience Institute, noted that the Department of Defense already uses such a network for sharing intelligence with cleared defense contractors on threats to their companies. This system, he says, could be replicated as a way to share information with the financial sector, electricity suppliers, and other critical private-sector entities.

Creating this network would require an increase in the number of cleared personnel and facilities that can hold classified information increase and changes to intelligence collection priorities. Cooperation between the private and public sectors could help drive success in achieving this, the brief says.

Knake proposed that, as a first step, the U.S. government initiate the targeted gathering of intelligence on cyber threats to critical infrastructure. The government should then establish security standards to determine who may hold clearances. The author also proposes accelerating private-sector security clearance approvals, creating a pilot program that incorporates existing company background checks and allowing the Department of Homeland Security (DHS) to retain fees to cover the cost of expanded private-sector clearances.

“Although building a national classified cyber information-sharing network and expanding clearances introduce vulnerabilities, the potential benefits to national security outweigh the risks,” Knake wrote. “Critical infrastructure companies cannot be expected to protect themselves from adversarial nation-states without federal assistance. The U.S. government has experience running successful classified information-sharing networks, such as the one for the defense industrial base. It is time it did the same to protect financial, energy, and other private-sector companies critical to the functioning of the U.S. economy.”