The U.S. Department of Homeland Security (DHS) is developing a system that will enable classified vulnerability data to be shared with the private sector. The information, primarily Zero-Day vulnerability data, will be sold via a select group of service providers.
To date, Raytheon, AT&T, and Northrop Grumman have been tapped to broker the Zero-Day data from the government to the private sector. The program, called Enhanced Cybersecurity Services, expands on President Obama’s order earlier this year to increase the level of information sharing between the government and private sector as it relates to cybersecurity.
During the Reuters Cybersecurity Summit last week, DHS Secretary Janet Napolitano said that the service was a way to share information about known vulnerabilities that may not be commonly available. Backing her statements, House Intelligence Committee Chairman Mike Rogers said he was glad about the plan to share vulnerability data.
“This can’t happen if you post it on a website. We have to find a forum in which we can share it, and 10 providers serve 80 percent of the market. We have classified relationships with a good number of them.”
Pricing for the information sharing service will be determined by the provider and organizations of any size could participate, but they’ll first need to be categorized as critical infrastructure.
“Most obviously, the U.S. government wants it both ways,” Andrew Braunberg, research director for NSS Labs, said in a statement to CSO.
“They don’t really want these vulnerabilities to disappear because they want to use them offensively, but they don’t want the same vulnerabilities to allow hacking of U.S. assets.”
Experts have warned that zero-day threats are just one small part of a very large picture, expressing their desire to see the government do more. Others have noted that the notion of price turns the program into a protection racket.
“Threat intelligence sharing has been shown to strengthen network defenses, which is why enterprises should take advantage this step forward,” Lila Kee, chief product and marketing officer of GlobalSign, said in an email to SecurityWeek.
“It is also important to remember that sharing alone is not enough. Hopefully, in cases such as this, the exchange of intelligence will allow organizations to develop a more proactive and nimble approach to patch management that can be used to improve defensive postures.”
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
