For decades, the US military has collaborated with contractors at every step of the armed services supply chain to develop innovations that help protect the physical safety of troops and citizens. Similarly, there are new information security threats that can be just as harmful to our society, from individuals to industry. Much like the military contractor relationship forged long ago that has yielded tremendous benefits, the US Congress recently increased its focus on improving cybersecurity safeguards that leverage similar public/private sector partnerships.
Through the introduction of legislative proposals such as Cyber Intelligence Sharing and Protection Act (CISPA) and revisions to the Federal Information Security Management Act (FISMA), there are several different approaches in play to address this issue. Unfortunately, the discussion has focused on the specifics of one bill or another – usually centering on what’s wrong with them, which is not helpful. Instead, the desired goals should be at the forefront of the discussion. The conversation should revolve around shaping a solution with the necessary requirements, rather than becoming mired in implementation details.
Sharing: a Two-way Street
Congress is on the right path when information sharing between industry and the government is encouraged. However, sharing is a two-way street; the government must communicate with the private sector what it observes in the world, and vice-versa.
Presently, information-sharing is only one-way, with industry sharing information with the government with little reciprocity. The very word ‘share’ implies the forming of a partnership based on common interests. Unfortunately, while information feeds into the government, an adequate amount is not returned to help the cybersecurity community take steps to respond to emerging threats.
By way of example, if the police realize that a crime wave is targeting houses via basement windows, it damages security efforts if they merely inform homeowners to increase vigilance without mentioning the basement window threat. It’s critical to understand where to concentrate time, effort and resources to stay ahead of evolving cyberthreats. The government must provide specific information on a recurring basis that can be used to protect against current and future attacks.
New Classification and Control
Effective information sharing requires a change in how data is classified and how its use is restricted. If there are attacks or other threats focused on the internet, then labeling them as “top secret” is a hindrance; this classification exists to prevent sharing.
It would be far better and more effective to update information protocols that clarify what can be shared, such as the Chatham House Rule, which offers anonymity for those who provide intelligence. The sole purpose of sharing information is to give it to those who can act upon it. Unfortunately, today’s policies hinder that ability.
Silos are Outdated
To be effective, information must be shared across industries and sectors. If these sectors remain as silos, sharing is undermined. There can't be some data that is given to ISPs, and others to financial institutions and security providers. Obviously, the level of detail varies across sectors based on unique needs, but there must be a consistent flow of intelligence throughout.
For instance, ISPs might only want a summary of what's occurring in financial institutions, but they should have an option to collect additional details if they are relevant. Attackers do not limit themselves to a single sector. Instead, they use methods for one sector to gain an advantage in others, or to use information from one attack to make another more successful. If the information exchange from public to private entities is restricted to within a single sector, the system is hampered.
Over-sharing Versus Under-sharing
It is important to realize that over-sharing information is more advantageous than under-sharing. Obviously, there will be some intelligence that shouldn't be allowed outside the confines of the government, while other information should have sensitive details redacted, based on the Chatham House Rule, for example.
There will also always be intelligence that is too recent, too inaccurate or too sensitive to disseminate. There is absolutely nothing wrong with deciding to not share something. Nonetheless, it's better to have less information with a fewer restrictions, than more with excessive limits that makes the effort counterproductive. These constraints create the illusion of sharing and aren’t really helpful.
Coordination and Cooperation
To combat the threats of today and prepare for tomorrow, government participation in information sharing must happen, but the effort has to be a partnership with business, not merely one-way information flow. It is a positive step forward that the US government is now willing to work with industry in a partnership as indicated by current legislative proposals, but that partnership has to truly be two-way, as the very words ‘partner’ and ‘share’ mean.
David Rockvam is general manager of Entrust Certificate Services