The Department of Homeland Security's plan to selectively share information on zero-day vulnerabilities is too restrictive and should be opened up to more companies, experts say.
DHS Secretary Janet Napolitano told Reuters this week that the agency would discreetly share classified information on software vulnerabilities that are unknown to the application developer.
The National Security Agency and other intelligence agencies buy the exploits for such flaws from bug hunters and resellers, so they can be used in cyberespionage missions.
The exploit signatures, called "indicators," would be shared with security service providers that have government clearance. These companies would provide a service for detecting and blocking the exploit-carrying malware from the networks of companies that have been designated as critical infrastructure, such as utilities, financial institutions and defense manufacturers.
"At no time do those indicators ever leave that entrusted environment within the commercial service provider," said Jeff Jacoby, director of information systems, operations and services at Raytheon. The defense contractor has agreed to provide what the government calls its Enhanced Cybersecurity Services. Other initial providers include AT&T, and Northrop Grumman.
In general, any government effort to share cyberattack information is welcomed by security experts. On the flipside, efforts to limit the data flow is frowned upon.
"While it is understandable that the government is starting slowly, I would like to see much broader sharing of information," said Wolfgang Kandek, chief technology officer for vulnerability management company Qualys. "From an offensive point of view, it is certainly valuable to maintain a certain number of exploits in private, but for defense the best option is to share the vulnerability information with the software vendor as quickly as possible."
Andrew Braunberg, research director for NSS Labs, which performs security analysis on software, said the government wants to share data while also keep the zero-day bugs useful for its own purposes.
"Most obviously, the U.S. government wants it both ways," he said. "They don't really want these vulnerabilities to disappear because they want to use them offensively, but they don't want the same vulnerabilities to allow hacking of U.S. assets."
By not being universally available, the DHS plan could miss smaller businesses that hackers could use as an entry point to the networks of critical infrastructure companies they sell products or services to, some experts said. A recent report from Symantec found that the percentage of attacks targeted at companies with 250 employees or less almost doubled from 2011 to 2012.
"We may be addressing the big, defense-related organizations, but they're a fraction of the industry that would be left in the dark," said Rich Barger, chief intelligence officer for Cyber Squared, which specializes in protecting data in cyberattacks.
Sign up for Computerworld eNewsletters.