The potential British exit from the European Union could disrupt the major engine for economic growth that is the internet.
Speaking in a panel session at The European Information Security Summit in London, Adrian Davis, Managing Director of (ISC)2, said the potential “Brexit” will affect the political side of sharing, but not the professional side.
“The thing to remember, it is a political decision that will affect the political side of sharing, but not professionals as they have social networks across industries and I’d argue that if we do leave, more people to leave to rebuild those links,” he said.
“It comes down to one simple thing: if we don’t share the bad guys will win and destroy trust, and ruin one of the best engines for economic growth of the last 15-20 years. We have to build trust in the internet and maintain trust regardless of politics.”
Also on the panel was Mike McLellan, head of incident handling at CERT UK. He said that from the perspective of the response team, the exit could affect the EU stance on mandatory reporting and the requirement to report breaches. “That could be something we lose out on, but it is important depending on focus,” he said.
The panel focused on building trust and sharing information. Davis claimed that we have to share information, be it process, technology or product. “If don’t share you cannot deliver and anyone can copy it and you cannot recoup the cost,” he said.
“What you don’t know will hurt you – Target will attest to that. If suppliers don’t look after information and if you are connected over internet or personally, your risks have changed to a level that you cannot express.”
McLellan agreed, saying that you need trust as the attacker is good at that and works at scale, and we need to work to build more trust more quickly across organizations.
However he called for better sharing of information in formats that are useable, as current reports in PDF format are time consuming and do not scale well. He said: “We work closely with the OASIS group so we share in a structured format, but it doesn’t matter what format it is in as long as it is known.”
Scott Algeier, executive director of IT-ISAC said that information is not the goal, but instead should be treated as a tool. He said: “The goal is to implement risk management practises and too often we see information sharing as the goal, but we need to do it better. There are advanced companies who can consume STIX and some who cannot, but you still have small companies for whom this is not that useful.
“In ISAC there are members who can consume it and others who cannot, so it is important to understand what best practise is for you, and target specific campaigns and identify subsets of member companies of like-minded companies in addition to sharing new threat reports and information exchange.”