As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks.

Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return.

The question is, have government entities like the FBI and CISA made significant changes to how they share intel with private organizations, or are we still facing the same frustrations and challenges as before?

Private-public intel sharing — what changed since 2021?

The year 2022 has brought a raft of new cyber threats, many of which relate to the Russia-Ukraine conflict. Despite the rising number of threats, confidence in government cybersecurity cooperation has remained skeptical.

This article, published in 2021, questioned the government’s ability or willingness to answer several key security-related questions:

  • Where was the data found?
  • Who was the attacker?
  • How was the attack uncovered?
  • What defensive measures were in place at the time of the attack?
  • What details are shareable versus what could prompt a secondary attack?

Has the situation changed in 2022? Despite some promising signs, the outlook is not overly optimistic.

An oversight report released by the Department of Homeland Security (DHS) Office of Inspector General said that the government bodies still failed to provide adequate information and context surrounding the cyber threat data it shared with third parties.

“Most of the cyber threat indicators did not contain enough contextual information to help decision-makers act. We attribute this to limited AIS functionality, inadequate staffing and external factors,” the report states.

Despite the onslaught of new cyber threats, it seems that government agencies are failing to provide the private sector with clear, contextually relevant and valuable information that might help them improve their security postures and take appropriate defensive action.

Private-public information sharing in the global sphere

In the face of these challenges, major cyber events may have eased some distrust between sectors.

Beginning in early 2022, the Ukraine war brought many new security concerns for both public and private organizations. The elevated threat motivated the government to prioritize its intel sharing with private companies.

In a statement by the FBI in March, Director Christopher Wray committed to working more closely with the private sector.

“Today, with the ongoing conflict raging in Ukraine, we’re particularly focused on the destructive cyber threat posed by the Russian intel services, and cyber criminal groups they protect and support. We have cyber personnel working closely with the Ukrainians and our other allies abroad, and with the private sector and our partners here.”

A reassuring feature of the statement was the explicit acknowledgment of the importance of the private sector’s role in national cybersecurity:

“The biggest difference between the model we built to fight terrorism and the way we battle cyber threats is the importance of the private sector. Private networks, whether they belong to a pipeline operator, some other kind of victim or an Internet service provider, are most often the place we confront adversaries. We share information with the private sector whenever we can through one-on-one outreach, through cyber threat bulletins and through our many partnerships.”

While these statements are indeed a step in the right direction, it’s still too early to determine if they translate into tangible actions for businesses. That said, one useful marker here is ISAC participation.

ISAC participation is up

ISACs — Information Sharing and Analysis Centers — are organizations designed to provide a place for gathering and sharing information on critical cyber threats. The idea is to facilitate easier data sharing between the private and public sectors. Higher participation in these bodies by private sectors could indicate a growing level of trust in the government by businesses and a move to a healthier, more productive and equal intel-sharing relationship.

At first glance, the news is positive. ISACs are gradually growing in number, and new ones are frequently introduced. In theory, this is a good foundation for more cooperation between the public and private sectors on intel sharing, but what’s happening in practice?

Inadequate information weakens cooperation

One of the issues with government intel-sharing in the past has been the government’s lack of additional information and guidance when sharing threats.

Often, governments would share information about the existence of a specific threat but fail to provide any recommendations on how to address or remediate it. Unfortunately, that criticism still exists in 2022.

According to the Department of Homeland Security’s insight report, CISA did not always provide enough information to help private entities effectively deal with vulnerabilities.

The report noted that “deficiencies in the quality of threat information shared among AIS participants may hinder the federal government’s ability to identify and mitigate potential cyber vulnerabilities and threats.”

The future of private-public threat intel sharing: What can be done now

So what does the future hold? CISA has spoken about plans to improve information sharing. From the DHS report:

“During the past 18 months, CISA’s Cybersecurity Division has added additional contractual resources to better support information sharing and is also assessing a longer-term approach to allocate resources to fully support this critical mission area.”

The project’s estimated completion date is January 31, 2023.

Only time will tell whether information sharing between sectors will improve. While government agencies make optimistic overtures and half-promises, the private sector must make do with whatever information they can get and hope it’s enough.

Historically, enterprises are reluctant to share security information due to compliance or maintaining a competitive advantage. But community services like IBM’s X-Force Exchange can make collaboration simpler and safer.

Adversaries already do this, so why not the enterprise? Whether it’s an ISAC or any other method of information sharing, better sharing practices will always help organizations reduce threat risk.

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…