The Intelligence and National Security Alliance says a proposed Defense Department cyber threat hunting program should include liability protections for defense industrial base companies and support to help small businesses participate.
"Companies participating in a threat hunting program should be provided liability protections to insulate them from lawsuits related to disclosure of third-party data; such protection, however, would likely require further legislative action," INSA's Cyber Council said in a paper released last week.
"Small companies would likely lack the resources and expertise needed to participate in such a program, which could deter them from pursuing DOD contracts and remaining viable members of the DOD supply chain," the paper reads. "DOD should provide resources to mitigate the costs to small DIB companies or specify related expenses as 'allowable costs' under DOD contracts."
The Fiscal Year 2021 National Defense Authorization Act directs DOD to conduct a study on the feasibility of establishing a cyber threat program for the DIB. The provision is a recommendation from the Cyberspace Solarium Commission's March 2020 report.
DOD must submit the study to the House and Senate Armed Services committees by September 2021 and establish the program by March 2022 if the defense secretary "determines a program is feasible and suitable," according to the INSA report.
The INSA paper addresses incentives for "DIB primes' and subcontractors' participation in the cybersecurity threat hunting program."
The paper says, "This element directs the Secretary to explore whether 'carrots' or 'sticks' (incentives or procurement prohibitions) are more likely to encourage industry to comply. Because companies universally support advancements in cybersecurity, the Secretary's assessment should focus principally on the incentives, assistance, and potential waivers that may be needed to enable individual companies -- particularly small firms with limited resources -- to participate in a threat hunting program."
The Pentagon needs to evaluate "existing DIB cybersecurity threat hunting policies and programs, including the threat hunting elements at each level of the Cybersecurity Maturity Model Certification (CMMC)" as part of its study, according to the NDAA.
In response, INSA said, "Large DIB companies will likely be certified at the highest CMMC level and are likely already performing some type of threat hunting. The challenge lies with the small-to-mid-size companies that may be investing heavily to develop a marketable product and/or market position while endeavoring to meet CMMC requirements at an affordable cost. A cyber threat hunting program requirement will place increased financial burdens on these companies."
The paper continues: "These small-to-mid-size companies may require technical and financial assistance to remain part of a viable national defense supply chain, and must be assessed as to the level of risk they might represent to the supply chain at their current CMMC capability. Technical assistance could come in the form of trusted third-party vendors while financial assistance could be a function of US government contracting by making the cost an 'allowable cost" under DOD acquisition regulations."
INSA also provides considerations around barriers that would prevent the establishment of the threat hunting program:
Any approach that would allow DOD to have unfettered access to DIB networks to conduct cyber threat hunting, when there is no indication of an internal threat nor a predicate for law enforcement investigation, would require additional legislative authorities. To mitigate legal, liability, and privacy barriers, any cyber threat hunting program should be voluntary, company-managed and -controlled, and share tailored categories of information; even then, companies would seek liability protection, which would require further statutory authority.
INSA executive vice president John Doyon said, "As senior leaders at DOD assess the way ahead for the cyber threat hunting program, it's crucial that industry perspectives are taken into account. This paper provides decisionmakers with easy to understand insights and implementable ideas that will advance our nation’s cybersecurity posture and resiliency."