One of the first things we learn in kindergarten is how to share. In fact, sharing is part of our everyday life. We share all kinds of information about what we are doing on our social media sites. We share pictures, our opinions, and what we like and don’t like; so why aren’t we doing a better job of working together to share cyber threat intelligence information?
Protecting America’s Critical Infrastructure
Sharing cyber threat intelligence information has traditionally been a challenge in the United States. Many US-based organizations have a hard time trusting each other and have been reluctant to share information about cyber breaches due to antitrust issues, potential civil liabilities, damage to their reputation, and their desire to protect their intellectual property and proprietary business information. Additionally, sharing rarely benefits the victim company and typically benefits their competitors, so many organizations fail to see any value in sharing cybersecurity information. Reservations about distributing personal information across numerous government agencies and how different agencies might handle the information also has some organizations cautious about sharing cybersecurity information.
Cybersecurity Information Sharing Act
In December of 2015, President Obama signed the Cybersecurity Information Sharing Act (CISA) to improve cybersecurity in the United States through enhanced sharing of cybersecurity threat information. The CISA directs the several Federal agencies to facilitate and promote the timely sharing of classified cyber threat indicators (CTIs) and defensive measures (DMs) within the Federal government and with other entities with security clearance. The CISA has provisions that protect companies from liability for disclosing information about cyber-attacks if they act within the constraints of the law. For organizations concerned about the privacy of their data, the CISA requires all personally identifiable information to be removed before sharing. However, this typically is not an issue because most of the information being shared is largely technical, and usually only includes the code behind new cyber threats.
The bill designates the Department of Homeland Security (DHS) as the liaison between government agencies and companies as they share cybersecurity information with one another, and DHS has developed and implemented numerous information sharing programs. The DHS has developed partnerships and shares substantive cybersecurity threat information with the private sector, which owns and operates most of the nation’s critical infrastructure. DHS also shares information with state, local, tribal, and territorial governments and with international partners.
Staying Ahead of Cyber Criminals
While CISA programs are responsible for facilitating disclosure of new threats, the DHS isn’t actively looking for malware and vulnerabilities. In addition to the DHS programs, there are various ways organizations in the United States can get a view of the evolving threat landscape and the millions of unique threat indicators that are collected worldwide, including:
- Paying for it: There are many large companies, Cisco, IBM, Microsoft as examples, that charge customers for a service that provides this information. These companies are collecting data from their customers all over the world, analyzing it, and then making it into an actionable information source. Some of these companies will push updates to your network to thwart potential attacks.
- Joining an organization: Many organizations have founded coalitions where they share intelligence information. These are most often organized by sector, (i.e., government, healthcare, financial, insurance) and are called ISACs (Information Sharing and Analysis Center). These groups collect data from each other and share information that can be an actionable information source.
- Research: Cyber Threat Intelligence Information Sharing Exchange Ecosystem (CyberISE) — Several projects being completed by Georgetown University under the direction of the Federal government to automate and standardize cyber threat information sharing.
Information Sharing—Next Steps
Developing common incident response guidelines to coordinate information sharing and building effective channels for sharing cyber threat information promptly across corporate America and government agencies will provide US cybersecurity experts with valuable resources for improving their awareness of cyber threats. The National Institute of Standards and Technology (NIST) has written a document about Cyber Threat Intelligence and Information Sharing, Special Publication 800-150, that provides guidelines to help organizations formulate their threat sharing strategy.
Sharing was hard in kindergarten, and it is hard now. However, malicious attackers share information, and if we hope to keep pace, we need to share information about cybersecurity attacks and how to defend against them. To become a country that can defend its information technology systems, we must overcome our hesitancy to share by expanding trust and relying on each other to assist in our cyber defense.
