Information sharing still a heavy lift

Cooperation on sharing cyber threat information between the public and private sector is essential, government officials at this week’s Cambridge Cyber Summit said. But they admit there are good reasons for mistrust on the private side

Everybody shares stuff, man.

That line, from ‘70s stoner comics Cheech and Chong, was about sharing joints, of course.

But today it is about information, and the message from top-level government financial and intelligence officials is that everybody needs to do more of it.

At the Cambridge Cyber Summit this week, held at MIT’s Kresge Auditorium and sponsored by MIT, The Aspen Institute and CNBC, several of them stressed that effectively countering the level and sophistication of cyber threats to the nation’s financial, economic and political system is going to require more sharing between the public and private sectors.

“Collaboration” and “cooperation” were mentioned frequently.

This is nothing new in the online security world. It has been discussed at IT conferences for well over a decade. It has been a goal of government for that long as well, and Congress, after a number of failed attempts, passed the Cyber Information Sharing Act (CISA) late last year.

[ MORE FROM THE CYBER SUMMIT: Security vs. privacy: The endless fiery debate continues ]

Still, stubborn resistance remains among many in the private sector.

Government officials at the event, ranging from Admiral Michael S. Rogers, commander of US Cyber Command and director of the National Security Agency (NSA), to FBI Deputy Director Andrew McCabe, Deputy Secretary of the Treasury, Sarah Bloom Raskin and John Carlin, assistant attorney general for national security, acknowledged that there is mistrust of government in both the general public and private industry, thanks in part to multiple revelations of government surveillance, ranging from former NSA contractor Edward Snowden to this week’s report about Yahoo allegedly allowing government screening of its email traffic.

But they say both the private and public sectors would benefit, at all levels of society, from increased information sharing.

Raskin said her department, “encourages a lot of sharing of information. We would like institutions to feel that they can benefit just as much from receiving information as giving information.”

She added a failure of security in the banking system would lead to a different breakdown of trust – trust from depositors that their assets are safe.

“Potential exploitation has the effect of undermining trust,” she said. “Our ultimate objective should be to reinforce the public's trust in the resiliency of the financial product, service, or institution.”

McCabe, interviewed by Walter Isaacson, president and CEO of Aspen, admitted there is resistance “throughout the private sector” to allowing the FBI to monitor their systems in real time, even though he said that would let the agency notify an organization much sooner in the event of an attack.

Besides the obvious privacy implications, he said, “they feel it impacts their reputation and their position in the community. Nobody likes to say, ‘Hey, we've been hit.’”

But he said the FBI does share threat information regularly. “We provide notifications to private sector entities all the time, we certainly coordinate immediately and directly with the affected entity and assist them and DHS (Department of Homeland Security) in doing whatever is necessary to repel that attack.

“The problem is, you don't see everything,” he said. “The more information we are able to share with the private sector, the academic sector, the better our detection ability becomes.

“We've got to get to that point where folks are comfortable sharing information and ultimately providing access if we expect the FBI and DHS and our Secret Service and our other partners in government to be able to be more proactive in the way we address the threats,” he said.

However, there remains within private industry a strong belief that government is much more interested in collecting data from the private sector than in sharing what it has. Justin Harvey, CSO of Fidelis Cybersecurity, was one of a number of security experts who said in January, after CISA’s passage that he believed it was, “meant to be a surveillance bill from the start,” and lacked adequate privacy protections.

Government speakers at the summit insisted they are committed to sharing.

On a panel titled, “National Security: Hacking Democracy,” Arizona Secretary of State Michele Reagan spoke of her state’s election systems being hacked, allegedly by Russia, and said it will take a serious effort of public education by government to maintain the public’s confidence in the results of the coming election.

“It’s made people think twice about registering to vote,” she said. “We know things get shaken when people are afraid.”

[ ELECTION HACKING: Read CSO's series of stories on the possibility of the vote being hacked ]

The bottom line, most agreed, is that increasing private sector information sharing will be a heavy lift.

“A lack of trust with the FBI specifically is not the only driver,” McCabe said. Another is that private entities don’t want it known that they were hacked. “There's obvious economic repercussions. There's shareholder value issues. So it's a complicated mixture,” he said.

Isaacson asked if it would help to have a law that banned, “derivative shareholder lawsuits if somebody discloses in real time that they've been hacked?”

McCabe said he has nothing to do with filing or passing legislation. But he agreed that it would help. “More information is better for us. That's our chance of getting out in front of this threat.”

Join the CSO newsletter!

Error: Please check your email address.

More about CNBCCSOFBIMITNational Security AgencyNSAYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place