Homeland Security is getting ready to award a contract to set standards for its Information Sharing and Analysis Organizations (ISAOs) but many in the private sector are still wary of participating.
Much of that trepidation is a direct result of a "trust deficit," according to DHS Deputy Secretary Alejandro Mayorkas.
During a keynote address at Black Hat 2015 in Las Vegas, Mayorkas asked a room of hackers and cybersecurity professionals — both independent and from industry — what can be done to foster trust in government, specifically DHS.
"The best way to tackle a trust deficit is to build trust," he said. "It may very well be an incremental process but it has to start somewhere. I ask that we be given the opportunity to bridge whatever trust deficit exists — let's start somewhere."
An attendee asked Mayorkas how they could trust the government to protect their proprietary information when it hasn't been able to protect its own, citing the breaches at the Office of Personnel Management and others.
The deputy secretary acknowledged that fear but said DHS's security posture is better than most.
"Different parts of the government are more advanced than others," he said, adding that the "OPM breach was obviously a significant challenge … but in government one must address it as an opportunity."
Federal agencies went through a 30-sprint to increase cybersecurity in the wake of the OPM breaches, which should go a ways toward assuaging some of those fears, Mayorkas said. But he added that there's still a lot to be done to establish trust.
"The rattled confidence is born not exclusively out of the OPM breach," he said. "We've got to rebuild or strengthen the trust relationship."
That relationship will likely be developed slowly, one step at a time, he said.
"The question is: Where can we start to build it, repair it and what will it take? Let's start somewhere – start small and let's build from there."
For example, Mayorkas suggested a company might suffer a breach in which disclosing attack information would expose sensitive data that could put the company or its business at risk. Since participation in the ISAOs will be voluntary, the company might choose not to share in that instance.
"But maybe there is an attack where you would feel comfortable and perhaps you'd be willing to give that a try," he said. "And maybe the response [from DHS] in total will build some confidence for you."
Ultimately, Mayorkas was asking for industry to take a chance for the greater good.
"As we develop now the automated capacity to receive and disseminate threat indicators, we ask that you give us a chance, that you share some information with us and allow us to prove our capabilities and prove our results," he said. "It is absolutely vital to the ability to protect the ecosystem that those cyber threat indicators are disseminated and shared far more widely than they are now."