Information sharing is one of the key buzzwords in information security today, but there hasn’t been a lot of movement towards formalizing public/private partnerships to share vulnerability and threat information.
There are “weaknesses in specific aspects” of current private/public information-sharing programs, and these initiatives can be improved, NSS Labs’ Research Director Andrew Braunberg and Research VP Ken Baylor wrote in a recent report. NSS Labs examined various public/private information sharing initiatives and identified pitfalls and issues to consider as government agencies work with the private sector to share cyber-security intelligence and threat data in its latest “U.S. Cybersecurity Information Sharing Update: Steady but Uneven Progress” report.
Progress has been made in financial services and defense industrial base, but not so much in critical infrastructure, according to the report’s authors. Real-time situational awareness is lacking, and the government’s cyber-intelligence capabilities aren’t being utilized to protect critical infrastructure. Even though the Department of Homeland Security Enhanced Security Services program provides classified cyber-threat information to wider critical infrastructure sectors, industry participation remains limited because most of the employees in this sector don’t have the right level of security clearances.
“We are still struggling to find and enable the right level of public/private cooperation and responsibility assignment to protect the nation’s critical infrastructure,” Braunberg and Baylor wrote in the report.
The government has a tendency to over-classify data, making it less useful for the private sector. The Department of Homeland Security must declassify cyber-security data useful to the private sector whenever possible and to make that information immediately usable, the report said.
The public and private sector tend to approach cyber-security from different sides of the problem. The government is looking at the worst-case scenario, while the private sector is assessing and determining the most likely scenario, wrote Braunberg and Baylor. The different perspective determines what type of information the organizations need. Private sector participants need information that is “specific, timely, and actionable,” but the data from the government can often be “generic, stale, heavily redacted, or potentially classified,” they wrote in the report.
Information Sharing and Analysis Centers (ISAC) are formed specific to industrial sectors, such as the FS-ISAC for financial services. FS-ISAC is considered the most mature and most successful, and a major reason appears to be the number of organizations taking part. FS-ISAC boasts over 4,400 organizations as members, including commercial banks, credit unions, brokerage firms, insurance companies, exchanges, clearing houses, payment processors and trade associations.
ISACs tend to focus on higher-level strategic discussions, such as legislation and regulatory requirements. A large membership generally makes it harder to focus on actionable, tactical intelligence—which member organizations need—and easier to look at the big picture. This means there is little tactical threat data being exchanged among participants, driving members to go elsewhere for information sharing, the authors wrote. ISACs also need to avoid putting their sectors in a silo. While focusing on the industry helps build up trust, threats crisscross different industries, so ISACs need to focus on cross-industry partnerships, the report found.
“The U.S. government and the private sector should not start from scratch regarding cybersecurity data sharing,” the authors wrote. There are existing programs and initiatives that can be built on and extended. The government also needs to build a framework that better measures the success of information sharing efforts, improve liability protection to encourage participation, and “incentivize participation by providing baseline funding” for ISACs and other initiatives.
For information sharing programs to succeed, there also needs to be some agreement on common definitions and formats in order to exchange actionable threat intelligence, the report noted. While there is consensus that definitions are essential, “yet these remain under development,” the authors wrote. The lack of common definitions even came up in the discussion section of Verizon’s 2013 Data Breach Investigations Report released earlier this year. Without common definitions and formats, it is difficult to tell which incidents and threats are actually the same, or related.
And finally, information sharing programs need to think seriously about civil liberties and privacy. Recent legislative attempts have been met by a firestorm of opposition from privacy advocates and civil liberties groups. The fact that an organization is collecting and aggregating cyber-threat information could result in personal information being collected and exposed to third-parties.
“Congress needs to find the right balance between critical infrastructure providers and civil liberties groups, with respect to liability protection and to privacy protection,” the authors wrote, adding, “They are both key concerns.”