Modern field guide to security and privacy

US government not invited to Facebook’s ThreatExchange party

Even though the Obama administration has been pushing for more information sharing between Washington and tech companies about digital threats, the government is excluded from Facebook's cybersecurity project.

Eric Risberg/AP
Facebook CEO Mark Zuckerberg delivered the keynote address during the company's F8 Developer Conference in March.

For months, senior Obama administration officials have been on a charm offensive to convince business leaders and security professionals to share more information about the cyberthreats with the government, trying to convince often-skeptical audiences at major industry conferences this year in San Francisco and Las Vegas

Turns out, many in the private sector are actually on board with the idea of information sharing – just not, necessarily, with the government.

Facebook announced Thursday that more than 90 companies have joined its online community ThreatExchange to trade information about threats facing their networks. But there’s one pretty obvious odd man out: The US government.

Though cyberthreat information sharing has been a major priority for the White House and many key lawmakers in Washington, government agencies are not part of ThreatExchange. In fact, those that have inquired have been explicitly told they are not invited to the information-sharing party.

"At this time, government agencies are not participating in ThreatExchange and will not, until there is legislation that clearly defines how information from sharing platforms can be used by these parties,” Mark Hammell, manager of Facebook’s Threat Infrastructure team, told Passcode in an e-mailed statement.

Key flash points in the cybersecurity debate in Washington include finding ways to ensure companies have liability protection from such things as exposing customer and other potentially sensitive data to government agencies. Also, companies and privacy advocates want to ensure there are sufficient privacy protections in place as information passes from the Department of Homeland Security to other parts of the government, such as the National Security Agency.

These concerns have proven difficult to resolve on Capitol Hill. And even though the massive Office of Personnel Management breach compromised sensitive personal information from as many as 22 million people and sparked a firestorm in Washington, Congress left town for the summer without uniting to pass information-sharing legislation.

Facebook decided months ago not to wait for the government to start sharing.

"A common reason cited for organizations not to share information is liability coverage,” Mr. Hammell told Passcode. “However, when we looked at the potential risk of sharing information like malicious URLs, domains, and malware families – the kind of information that enables you to identify abuse, the risk of not sharing is actually greater. Other types of information, including [personally identifying information], carry a much higher risk so they're not shared on ThreatExchange."

Think of ThreatExchange as cybersecurity social networking: Companies use ThreatExchange to swap information with specific groups or the whole community – and likewise, search the hub for information about types of malware, and threat indicators such as attempted cyberattacks or IP addresses that could help them defend their networks.

Originally launched six months ago, ThreatExchange boasts broad collaboration across the private sector, with major tech companies such as Yahoo, Microsoft, and Twitter joining forces with cybersecurity, insurance, financial services, higher education, and defense companies. Facebook also unveiled Thursday a simpler and quicker application process for new participants, with an eye on bringing in retail, telecom, and business consulting partners. More than 11,0000 organizations have already inquired about joining.

The platform is designed not to be a running feed of threat alerts, but to foster a collaborative exchange of commentary and discussion.

Facebook says it is open to participating in government initiatives. But Alex Stamos, Facebook’s new chief security officer, told reporters at the DEF CON hacker conference in Las Vegas earlier this month that it does not require new laws to share with industry partners. So ThreatExchange was able to move quickly – an average of 3 million interactions are already taking place every month on the platform, which is built on existing Facebook infrastructure and uses a set of application programming interfaces for companies to see available threat information.

Facebook's do-it-yourself attitude toward info-sharing is similar to that of some leading security companies.

“Private companies can do this on our own. We don’t need help from the government,” Rick Howard, chief security officer of Palo Alto Networks, told Passcode in a podcast interview that aired this week.

His company cofounded the Cyber Threat Alliance with other cybersecurity companies, including Symantec and Intel Security. While Mr. Howard says he's open to the US government exchanging information with companies that could "supplement" their threat intelligence gathering, the point of the alliance is for the private companies to share intelligence with each other to help the community get better at detecting and fighting off attacks.

“Let’s take the government off the table for a second. I absolutely believe that information sharing is the secret sauce to help all of us get ahead of the advanced adversaries,” Howard said. “There’s no reason we are not helping each other out with this.” Perhaps another incentive for private companies to share amongst themselves? There are doubts among many in the security community that the government will actually be able to provide private companies useful, declassified intelligence about the threats it detects.

For its part, Facebook looks forward to working “with other industry sharing communities to integrate ThreatExchange with existing workflows for easier, more complete sharing of available threat intelligence," Hammell said in a blog post

Looks like Washington will just have to wait.


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to US government not invited to Facebook’s ThreatExchange party
Read this article in
QR Code to Subscription page
Start your subscription today