At the end of February the Cabinet Office announced, “After a successful pilot involving 160 companies across 5 sectors – defence, finance, pharmaceuticals, energy and telecommunications – the CISP will open to companies within critical national infrastructure sectors by 2013.” It added that there are plans to extend this to include SMEs in the future. Then, earlier this month James Brokenshire, the UK’s minister for security, spoke to the Chartered Institute for IT: “The new Cyber Security Information Sharing Partnership, CISP, will be formally launched later this month, providing a practical information sharing platform for industry and Government to share information on cyber security threats and mitigations.”
Today, Cabinet Office minister Francis Maude is expected to launch the Fusion Cell – a combination of MI5 and GCHQ operatives, and industry experts ‘on secondment’. The location of the Fusion Cell has not been revealed, but the interface with industry will be via a secure web portal – described as a ‘secure Facebook’ which will allow participants to choose with whom they are willing to share – in order to allow real time information sharing between trusted partners. The government accepts that it cannot solve cyber security itself, and believes that a partnership between government and industry provides the best solution.
But as an embarrassing aside, GCHQ could learn some security lessons itself. Student Dan Farrell applied for a job with GCHQ, but had forgotten his password with the application portal. He clicked ‘forgotten your password’, and received it by email in plaintext. “Not really sure how we can trust somebody like that to protect us, when they are still doing stupid things like this,” he blogged just last week. So while CISP might help with the big security issues, we also “have to focus on the basic ‘blocking and tackling’ if we stand a chance at becoming a culture of data security and privacy,” notes Rob Sobers, technical director at Varonis.
The Fusion Cell will include large screens monitoring attacks – both targets and sources – as they evolve. The intention is to be able to share technical details on both the attacks and possible mitigations. “The Fusion Cell will allow us to geographically plot where the attacks are going and which sectors are being attacked.”
The security industry is supportive. “This is a key step forward for both Governments and business in fighting web attacks, and reducing their impact,” commented Terry Greer-King, UK MD at Check Point. “Fighting threats together is much more effective than fighting alone." Neil Thacker of Websense adds, “The collaboration between businesses and government to fight cybercrime can only be commended. Companies need to put aside the stigma associated with being targeted by cyber criminals and understand that its reality. It’s not a case of if; it’s a case of when.”
However, the whole operation will remain secretive because of the sensitive nature of the information being shared. Since cyber attacks on major companies can impact their share value, information will only be shared with the agreement of the company involved. Nevertheless, a government spokesman indicated that the pilot scheme "showed trust growing between those involved and the volume of information shared growing.” It is hoped that more companies will join the initiative in the future.
The partnership between government and industry is voluntary and is not likely to be enshrined in legislation. The UK is unhappy with the EU’s obligatory breach disclosure proposals, and there are hopes that CISP will demonstrate a successful voluntary alternative.