Security Experts:

What the Debates on Information Sharing Seem to be Missing

If Threat Information is Available But not Fully and Effectively Utilized, Then Knowledge is Not Power

The term “information sharing” has been all over the news ever since the President’s executive order on cybersecurity — even more so now that the Cyber Intelligence Sharing and Protection Act (CISPA) passed in the House with a tally of 248-168, and there are budget dollars on the table. To those in the business of protecting critical infrastructures from cyber attack, it’s been a topic that has been visited, re-visited, and beaten nearly to death over the past decade. The goal is commendable and sincere: if we share information about cyber threats—which are growing in numbers and evolving in sophistication at frightening rates—then we will all be better informed and, ergo, better able to protect ourselves. Scientia potestas est. Knowledge is power.

Putting the debates of feasibility, responsibility and liability aside, there is an amazing wealth of relevant information to be shared. There are a number of experts and organizations, both public and private, that perform exhaustive vulnerability research to understand what new threats look like, where they’re coming from, and how to protect against them. The relevance and value of using this wealth of information to improve security in irrefutable. Before you can use knowledge, you must acquire it, and that means sharing information.

Information SharingHowever, even if we do achieve the “near real-time sharing of cyber-threat information to assist participating critical infrastructure companies," and even if this information is shared between federal agencies (which presumably have lots of knowledge to convert into power) and private industry, there’s still a fatal flaw.

If the information is available but not fully and effectively utilized, then knowledge is not power—it is simply knowledge. Books in a library, unread. A lecture, unattended.

It’s perfectly possible to utilize knowledge fully and effectively, but there’s still a strong reluctance to do so within industry because it requires capital and operational expense. There are many commercial tools available to squeeze the full defensive potential out of this information, but are these tools deployed? Even counted together, as a whole, the entire advanced threat protection market is far from ubiquitous.

Policy and practices, recommendations and risk assessments are all good, but you can’t defend against a cyber threat without a cyber defense. Technology is necessary to fight technology. And you can’t fight tomorrow’s threats with yesterday’s security technology. In the US, there are now budget dollars on the table, but will they be used wisely? Will they help realize the potential of the global cyber security industries’ collective knowledge? Information feeds aren’t enough, because sharing what already happened can’t protect us from what has yet to come. Technology needs to advance, to use the information that we have in new, predictive and powerful ways.

Otherwise, the threat will always remain ahead of the mitigation. Information sharing is by definition reactionary. One group will share with another group some details of some incident that has occurred in some place. Some vulnerability that has been exploited will be disclosed after the threat has been realized so that other potential targets can help to better defend against a similar attack. It might protect against the repetition of attacks across an industry, but the initial damage is done. As malware gets more complex, the initial attack is less likely to resemble subsequent attacks, further devaluing any mitigation against the initial vector.

Knowledge is power, but only when fully realized and effectively utilized. Unless the world’s critical industries change their fundamental attitudes towards implementing security, and move beyond baseline recommendations to implement cutting edge defenses, our efforts will fail. Our books will grow dusty. Our lecture hall will echo.

Related Reading: Threat Information Sharing - Fighting Fire with Fire

Related ReadingCombating Emerging Threats Through Security Collaboration

view counter
Eric D. Knapp (@ericdknapp) is a recognized expert in industrial control systems cyber security, and continues to drive the adoption of new security technology in order to promote safer and more reliable automation infrastructures. Eric is currently the Director of Cyber Security Solutions and Technology for Honeywell, and is the Chief Technical Advisor, North America for the Industrial Cybersecurity Center. He is also the author of “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA and Other Industrial Control Systems.” His new book, “Applied Cyber Security for Smart Grids” was co-authored with Raj Samani, McAfee CTO EMEA. The opinions expressed here represent Eric's own and are not those of his employer.