US government not invited to Facebook’s ThreatExchange party

For months, senior Obama administration officials have been on a charm offensive to convince business leaders and security professionals to share more information about the cyberthreats with the government, trying to convince often-skeptical audiences at major industry conferences this year in San Francisco and Las Vegas. 

Turns out, many in the private sector are actually on board with the idea of information sharing – just not, necessarily, with the government.

Facebook announced Thursday that more than 90 companies have joined its online community ThreatExchange to trade information about threats facing their networks. But there’s one pretty obvious odd man out: The US government.

Though cyberthreat information sharing has been a major priority for the White House and many key lawmakers in Washington, government agencies are not part of ThreatExchange. In fact, those that have inquired have been explicitly told they are not invited to the information-sharing party.

"At this time, government agencies are not participating in ThreatExchange and will not, until there is legislation that clearly defines how information from sharing platforms can be used by these parties,” Mark Hammell, manager of Facebook’s Threat Infrastructure team, told Passcode in an e-mailed statement.

Key flash points in the cybersecurity debate in Washington include finding ways to ensure companies have liability protection from such things as exposing customer and other potentially sensitive data to government agencies. Also, companies and privacy advocates want to ensure there are sufficient privacy protections in place as information passes from the Department of Homeland Security to other parts of the government, such as the National Security Agency.

These concerns have proven difficult to resolve on Capitol Hill. And even though the massive Office of Personnel Management breach compromised sensitive personal information from as many as 22 million people and sparked a firestorm in Washington, Congress left town for the summer without uniting to pass information-sharing legislation.

Facebook decided months ago not to wait for the government to start sharing.

"A common reason cited for organizations not to share information is liability coverage,” Mr. Hammell told Passcode. “However, when we looked at the potential risk of sharing information like malicious URLs, domains, and malware families – the kind of information that enables you to identify abuse, the risk of not sharing is actually greater. Other types of information, including [personally identifying information], carry a much higher risk so they're not shared on ThreatExchange."

Think of ThreatExchange as cybersecurity social networking: Companies use ThreatExchange to swap information with specific groups or the whole community – and likewise, search the hub for information about types of malware, and threat indicators such as attempted cyberattacks or IP addresses that could help them defend their networks.

Originally launched six months ago, ThreatExchange boasts broad collaboration across the private sector, with major tech companies such as Yahoo, Microsoft, and Twitter joining forces with cybersecurity, insurance, financial services, higher education, and defense companies. Facebook also unveiled Thursday a simpler and quicker application process for new participants, with an eye on bringing in retail, telecom, and business consulting partners. More than 11,0000 organizations have already inquired about joining.

The platform is designed not to be a running feed of threat alerts, but to foster a collaborative exchange of commentary and discussion.

Facebook says it is open to participating in government initiatives. But Alex Stamos, Facebook’s new chief security officer, told reporters at the DEF CON hacker conference in Las Vegas earlier this month that it does not require new laws to share with industry partners. So ThreatExchange was able to move quickly – an average of 3 million interactions are already taking place every month on the platform, which is built on existing Facebook infrastructure and uses a set of application programming interfaces for companies to see available threat information.

Facebook's do-it-yourself attitude toward info-sharing is similar to that of some leading security companies.

“Private companies can do this on our own. We don’t need help from the government,” Rick Howard, chief security officer of Palo Alto Networks, told Passcode in a podcast interview that aired this week.

His company cofounded the Cyber Threat Alliance with other cybersecurity companies, including Symantec and Intel Security. While Mr. Howard says he's open to the US government exchanging information with companies that could "supplement" their threat intelligence gathering, the point of the alliance is for the private companies to share intelligence with each other to help the community get better at detecting and fighting off attacks.

“Let’s take the government off the table for a second. I absolutely believe that information sharing is the secret sauce to help all of us get ahead of the advanced adversaries,” Howard said. “There’s no reason we are not helping each other out with this.” Perhaps another incentive for private companies to share amongst themselves? There are doubts among many in the security community that the government will actually be able to provide private companies useful, declassified intelligence about the threats it detects.

For its part, Facebook looks forward to working “with other industry sharing communities to integrate ThreatExchange with existing workflows for easier, more complete sharing of available threat intelligence," Hammell said in a blog post. 

Looks like Washington will just have to wait.