When a company has a significant cyber breach, the FBI, Department of Justice and Homeland Security want to hear about it. Information sharing is about strengthening the nation's cybersecurity posture but it's also about more than just patriotism.
"I won't minimize the importance of people being good citizens," said Adam Hickey, deputy assistant attorney general for national asset protection, under DOJ's National Security Division. "But it's a business decision to bring us in."
What the government provides is perspective, Hickey said. He offered an example:
"A couple years ago, a major U.S. retail company was hacked and had PII [personally identifiable information] for tens of thousands of customers stolen. Then the hackers tried to extort the company to pay money to keep the information from being released," he said. "If you look at just those facts along, from the company's perspective, you might think this falls somewhere between the traditional PII theft that leads to credit card fraud and ransomware."
What that company didn't realize is that one of the hackers – Ardit Ferizi – took that list, pulled out the information related to military and government personnel and gave that information over to the Islamic State group, which published it as a kill list.
Ferizi was eventually apprehended in Malaysia, extradicted to the U.S. and convicted in the first case of cyber terrorism.
"What the government offers in that circumstance when the company calls us in is context," Hickey said. "Information about who the actors are; what their motivations might be; in the area of nation-state activity, what the bilateral relationship is, the strategic goals of the other country."
"I don't think that our best selling point is secret-sauce indicators of compromise," he continued. "I think what the government can offer is a broader perspective on the motives and identity and context of the adversary and their activities across the U.S."
But civic duty is also a part of it, according to Jeanette Manfra, deputy undersecretary for cybersecurity and communications with DHS's National Protection and Programs Directorate.
"There is some patriotic duty to it, in the sense that we have a collective action challenge," she said. "Part of the problem that we have right now is the attacker doesn't have to be that good, so how are we raising the cost?"
Just as a neighborhood watch raises the risk for burglars, creating a community around sharing cyber threat information raises the risk – and cost of doing business – for hackers.
"By sharing information and by creating a community – we're not just sharing information for sharing information's sake – we're trying to make sure that when somebody gets hit by something, we can get that information out to anybody else who could be also victimized by the exact same" attack, Manfra said.
"There are unique things that the government can do that the private sector can't do," she added. "And I don't think they want to do."