Former cyber czar takes reins of threat information-sharing alliance

Consortium urges vendors, private sector, government to take holistic path to security

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Barack Obama’s clar­i­on call for wider shar­ing of threat intel­li­gence is being heed­ed by a hand­ful of top cyber­se­cu­ri­ty vendors.

I was in the audi­ence at Stan­ford Uni­ver­si­ty in 2015 when Pres­i­dent Oba­ma signed a mile­stone exec­u­tive order urg­ing the cor­po­rate sec­tor to dra­mat­i­cal­ly advance the shar­ing of cyber attack intel­li­gence among them­selves and with the fed­er­al government.

Then last month, I was cov­er­ing the giant RSA 2017 cyber­se­cu­ri­ty con­fer­ence in San Fran­cis­co, when Obama’s long­time cyber­se­cu­ri­ty czar, J. Michael Daniel, was named as the new pres­i­dent of the reju­ve­nat­ed Cyber Threat Alliance.

The idea for CTA came about a few years ago when senior exec­u­tives from Fortinet, McAfee, Palo Alto Net­works, and Syman­tec formed an exchange to share threat intelligence.

But the orga­ni­za­tion kept a low profile—until recruit­ing Daniel, and announc­ing his appoint­ment. CTA also announced the addi­tion of Israeli fire­wall pio­neer Check Point Soft­ware and net­work tools giant Cis­co as full-fledged members.

Indus­try wary of sharing

Keep in mind, the cyber­se­cu­ri­ty indus­try is obses­sive­ly com­pet­i­tive. Not only do secu­ri­ty ven­dors rig­or­ous­ly cloak the secret sauce in their flag­ship prod­ucts, they also tend to be very cir­cum­spect about shar­ing any deep intel­li­gence, lest they give up a mar­ket­ing advantage.

The result is a dupli­ca­tion of effort, on the part of the good guys, who also for­go the oppor­tu­ni­ty to put up a more uni­fied defense against the bad guys.

Pres­i­dent Oba­ma signed an exec­u­tive order urg­ing infor­ma­tion shar­ing of cyber threat attacks between the pri­vate sec­tor and the gov­ern­ment in Feb­ru­ary 2015 at Stan­ford University.

The glob­al cyber­se­cu­ri­ty com­mu­ni­ty has long rec­og­nized the need for a high­er-lev­el intel shar­ing among tech secu­ri­ty vendors—as well as between the gov­ern­ment and the pri­vate sec­tor. This was some­thing Oba­ma, with advice from his cyber­se­cu­ri­ty czar, Daniel, rec­og­nized. And it was some­thing Oba­ma cham­pi­oned with his 2015 exec­u­tive order call­ing for wider sharing.

Daniel takes skills to nonprofit

So it’s fit­ting that Daniel now car­ries that torch into the pri­vate sec­tor. Daniel built a 17-year career as an offi­cial of the Office of Man­age­ment and Bud­get. Then he suc­ceed­ed the recent­ly deceased Howard Schmidt as spe­cial cyber­se­cu­ri­ty advis­er to the pres­i­dent in 2012, leav­ing that post on Jan. 20, along with sev­er­al oth­er senior fed­er­al cyber­se­cu­ri­ty officials.

Relat­ed video: Remem­ber­ing Howard Schmidt

And now Daniel has resur­faced as the head of an orga­ni­za­tion charged with doing exact­ly what Oba­ma called for—wider threat intel shar­ing. Each CTA mem­ber has agreed to pro­vide 1,000 unique mal­ware exe­cuta­bles per day. Daniel will direct this col­lec­tion, and over­see the ensu­ing analy­sis. He also will recruit new CTA members.

The whole premise of the CTA is bring­ing togeth­er mul­ti­ple orga­ni­za­tions that col­lec­tive­ly see more than any one of them alone,” Daniel said at a news con­fer­ence at RSA.

Oth­er gov­ern­ments invit­ed to table

Daniel also let it be known that he plans to reach out to var­i­ous gov­ern­ments. “The long-term goal has got to be to cov­er as much of the ecosys­tem as we pos­si­bly can,” he said. “That is inevitably going to, down the road, involve how we actu­al­ly share infor­ma­tion back and forth with governments.”

Amnon Bar-Lev, Check Point Soft­ware president

I got a chance to sit down with Check Point Pres­i­dent Amnon Bar-Lev to dis­cuss CTA and Daniel’s appoint­ment. He gave the exam­ple of sev­er­al CTA mem­bers detect­ing dif­fer­ent mark­ers of a major ran­somware attack. Each ven­dor would toss some­thing into the pot. And this should lead to quick­er, more thor­ough respons­es to every­day threats. Bar-Lev said.

We see more secu­ri­ty activ­i­ties as a group than any­body else in the world,” Bar-Lev not­ed. “Check Point has a pres­ence of about 1 mil­lion gate­ways alone, and McAfee has like 50 mil­lion seats in the world, and Syman­tec is even big­ger, I believe.”

When CTA is fir­ing on all cylin­ders, the cus­tomers of its mem­ber com­pa­nies will ben­e­fit great­ly, Bar-Lev con­tends. “Each and every ven­dor will take home the right intel that it can use and trans­form it imme­di­ate­ly into a pre­ven­tion measure.”

For a deep­er dive into my dis­cus­sion with Bar-Lev, lis­ten to the accom­pa­ny­ing podcast.

More sto­ries relat­ed to threat infor­ma­tion sharing:
Silence isn’t gold­en: Infor­ma­tion shar­ing is key to com­bat­ing cyber attacks
The case for wider shar­ing of threat intel­li­gence in 2015
Oba­ma orders com­pa­nies, gov­ern­ment to share threat intel