At a web conference meeting with IT security professionals in early December, IT advisory services firm Wisegate polled the small group about how comfortable they were with sharing cyberthreat information with industry peers and with government agencies.
When “sharing” included giving information to the government, about half of the group thought it was a bad idea. But when 'government' was taken out of the sharing equation, some 80 percent of respondents were at least 'somewhat comfortable' with sharing their knowledge.
[ ALSO ON CSO: Silicon Valley wary of U.S. push for cyber security info sharing ]
Their mixed feelings about collaborating on security issues are common. Almost two years after President Obama's executive order on cybersecurity, a document that has shaped the cyber policy landscape, and one year after he signed an executive action aimed at increasing private sector information sharing on cyberthreats, questions remain regarding whether we can truly make collaborative security work.
Most recently, the Cybersecurity Information Sharing Act, a bill designed to shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another to fight cybercrime, was added to a consolidated spending bill in the U.S. House on Dec. 15. Some view it as a surveillance bill in disguise or think that it will complicate relations with foreign assets that forbid passing data to third parties.
U.S. businesses often have technical clues that could help thwart or limit the damage from a cyber attack – whether it's a nation-state sponsored act of aggression or a criminal hack – but they’re often reluctant to share what they know, fearing possible legal liability.
On the flipside, the government often has information on looming cybersecurity threats, but struggles to quickly push it out to the private sector amid legal and national security constraints.
Luckily, many industries and organizations have been collecting and disseminating threat information among themselves for years – some through industry groups, others by peer group crowdsourcing, and others through vendors that sell the information. Most of these organizations agree that information sharing is working, but there are still many challenges.
Financial services lead the way
Financial Services Information Sharing and Analysis Center, one of the oldest and largest ISACs, is a private, non-profit group with 6,700 member organizations worldwide.
“We have [government] partners that might share intelligence with us, but we’re not as much about providing information back to the government. That’s not what we do,” says Andrew Hoerner, an FS-ISAC spokesperson, adding that it took time to build relationships and trust among its members.
While he can’t talk about specific attacks that were thwarted because of information sharing, Hoerner could point to instances where one large bank will share information about an imminent cyberattack with another bank. If that bank has seen that same threat, they work together on a patch. If a bank’s competitors haven’t seen a similar attack, then they know they’re experiencing a targeted attack specific to their environment and have to react differently, Hoerner says.
More recently, midsize banks have been targeted by attackers as a testing ground or pathway to big banks, so FS-ISAC is working with smaller banks to identify and stop those attacks, he says.
The center is also sharing its Soltra Edge software with all industries to automate and speed the flow of threat intelligence between entities. The software is jointly backed by the Depository Trust and Clearing Corp.– a mega clearing house for transactions processing. FS-ISAC offers the software free to all industries sectors, and so far health care, energy, manufacturing and government entities have used it.
“It replicates all the protocols and controls you have for sharing,” Hoerner says. Instead of relying on several sources for cyberthreat information, “It just makes things faster and more efficient.”
The retail industry is just beginning its information sharing journey. The Retail Cyber Intelligence Sharing Center was launched in May as an independent organization by the Retail Industry Leaders Association.
“The biggest and most universal problem [with information sharing] is that trust tends to happen between individuals, and not between organizations,” says Wendy Nather, R-CISC research director. “When we talk to people, we find that they already have information sharing going on – it’s just with individuals that they trust. Getting them to shift that trust to an organizational relationship and keeping that going when the original person moves on (which happens a lot in security) is the biggest challenge.”
R-CISC already has about 50 corporate members, and some of them come from outside the retail industry, Nather says. Oil and gas companies have joined the retail group, for instance, because most gas stations also operate convenience stores. Some financial institutions that are FS-ISAC member also joined the retail group because of POS and credit card cyberthreats. Fast food restaurants, automotive companies, hospitality groups and even casinos have joined the R-CISC.
The center is also protective of the data it shares with federal agencies. “In general, we don’t share anything outside of our retail circle unless a member submitter agrees to it,” Nather says.
R-CISC provides members with weekly cyber-information briefings, and it is working with vendors to provide free resources, such as reversing labs for members during the holiday shopping season, where they can set up cloud-based instances and upload malware samples for examination.
The center also launched a project with George Mason University to research the obstacles to threat intelligence sharing among retailers. Longer term, R-CISC is working on ways to monitor the supply chain security of its members. “There’s a huge ecosystem out there and not everybody is looking at the security of suppliers,” Nather says.
Crowdsourcing speeds info sharing
Information sharing doesn’t have to run along industry lines. At Wisegate, information is shared among IT security professionals from many different types of companies.
“The old information-sharing model of relying on an ‘expert’ to aggregate and disseminate information doesn’t match the pace today of cybersecurity challenges,” says Sara Gates, founder and CEO of Wisegate, which helps security professionals collaborate on security issues using crowdsourced IT research. “The timeframe we have to react and respond won’t work” with this model. Gates says peer information sharing takes advantage of the speed of information -- from issue to discussion to solution.
Members pose questions on their latest security issues to Wisegate, and the firm uses a matching algorithm to identify the most pressing issues. Within 48 hours, the firm holds live roundtable discussions with interested members, whose identities and companies have been vetted, but remain anonymous in discussions. More importantly, “members can go back to their management and say ‘this is what our peer group is doing,’” she adds.
Too much information?
With dozens of information-sharing organizations popping up – along with private sector vendors, open source, and government entities that disseminate cyber threat information – finding the most accurate, targeted information could get more difficult.
“If you’ve got 20 people feeding you threat intel and some of it conflicts, how do you make a choice?” says Hugh Thompson, program committee chair and advisory board member to RSA Conference, which brings together thousands of IT professionals annually to discuss information security.
Many of the topics being batted around for the 2016 conference focus on the new challenges of information sharing. The 2014 conference focused on encouraging companies to share information, Thompson says. By 2015, topics moved to the mechanics of sharing, such as industry standards for capturing a threat, codifying it and writing it in XML.
“This coming year, folks are getting down to the most mature questions. What, at the end of the day, is our policy for sharing information? When is it a good idea for us to share it? That has all kinds of interesting complications -- most of it being legal. Is it OK to talk about this vulnerability? Will it expose a third party? Will it alert an attacker to an ongoing investigation? Will it open us up to liability by our customers?” Thompson says.