Only one company is sharing automated cyber threat data with the Department of Homeland Security, nine months after Congress passed divisive private-public threat sharing legislation critics claim violates privacy and boosts government surveillance.
On a panel discussing cybersecurity Monday, assistant vice president for AT&T Chris Boyer said DHS’s Automated Indicator Sharing (AIS) portal — established as part of last year’s Cybersecurity Act of 2015 as a means for private companies to automatically share cyber threats with the government — is only receiving data from one company.
“I was on a panel two weeks ago at the INSA [Intelligence and National Security Alliance] conference and they were talking about the AIS portal, and I think Gen. Touhill at the time mentioned that there’s 137 companies integrated with the portal and only one was actually sending any data.”
Retired Air Force Brigadier Gen. Gregory Touhill was appointed the nation’s first federal chief information security officer as part of President Obama’s Cybersecurity National Action Plan in September. Before that he served as deputy assistant secretary for cybersecurity and communications at DHS, which became the hub of private-public cyber threat sharing last December.
That was when Congress passed the Cybersecurity Act of 2015 as a rider to a must-pass omnibus spending bill necessary to avert a government shutdown and fund the government through 2016. Critics of the bill including civil rights groups like the American Civil Liberties Union and digital privacy advocates including the Electronic Frontier Foundation described the legislation as the latest means of funneling private information on U.S. citizens to federal law enforcement and surveillance agencies including the FBI and National Security Agency.
Apple, Microsoft and other major players in the tech industry supported the legislation, under which they’re granted liability and other protections for voluntarily sharing information, even if that information includes private data on users that would under normal circumstances violate law and subject them to legal action. DHS describes this as an unlikely scenario, citing multiple steps to scrub personally identifiable information before it leaves DHS and is shared across government agencies.
In a September panel Mark Kneidinger, director of the federal network resilience division at DHS said since going live, AIS has identified and shared more than 29,000 cyber threats (loosely described to include malicious software, IP addresses and phishing emails) with agencies participating in the program, though reports covering the event did not specify where those threat indicators originated. Agencies have until the end of October to implement AIS.
“It’s most because people are still waiting to see what the value proposition is,” Boyer said of the private sector’s hesitation to jump in, adding AIS is “still under development.”
The AT&T executive said it was important not to conflate cybersecurity information sharing with surveillance, describing them as “two district issues.” According to Boyer the vast majority of AT&T’s activities focus on protecting its own network from disruptions and the services of their business clients, since there’s simply too much individual consumer data to sift through.
“A company like AT&T, we’re seeing over 100 petabytes of data a day, so to look at individual consumer data is really challenging from a scaling perspective,” Boyer said. “But what we can do is monitor attacks on our big enterprise customers like financial institutions or even the U.S. government.”
More than private to public, Boyer said the majority of information sharing companies engage in is with other companies via gatherings of internet service providers, where they share data on attacks against their networks and successful methods for overcoming them.
“What we generally don’t share in that context are things like customer information,” Boyer said. “Even enterprise customers, because most of our customers probably wouldn’t appreciate if we were telling other folks about what’s going on in their networks.”
AT&T does however have a history of voluntarily, directly and automatically sharing private customer data with the government, long before any such arrangement was legal. Documents leaked by former NSA contractor Edward Snowden revealed AT&T allowed the signals intelligence agency to surveil “billions of emails as they have flowed across its domestic networks,” and let it install “surveillance equipment in at least 17 of its internet hubs on American soil” in a relationship NSA described as “highly collaborative,” according to The New York Times.
The reason that AT&T, Verizon, CenturyLink, Sprint are embedded there with DHS is not because they care about my billing system,” director of national security for CenturyLink Kathryn Condello said on the same panel Monday. “We are there because we carry the nation’s traffic. They care about disruptions to our traffic flows.”