Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

What the Debates on Information Sharing Seem to be Missing

If Threat Information is Available But not Fully and Effectively Utilized, Then Knowledge is Not Power

If Threat Information is Available But not Fully and Effectively Utilized, Then Knowledge is Not Power

The term “information sharing” has been all over the news ever since the President’s executive order on cybersecurity — even more so now that the Cyber Intelligence Sharing and Protection Act (CISPA) passed in the House with a tally of 248-168, and there are budget dollars on the table. To those in the business of protecting critical infrastructures from cyber attack, it’s been a topic that has been visited, re-visited, and beaten nearly to death over the past decade. The goal is commendable and sincere: if we share information about cyber threats—which are growing in numbers and evolving in sophistication at frightening rates—then we will all be better informed and, ergo, better able to protect ourselves. Scientia potestas est. Knowledge is power.

Putting the debates of feasibility, responsibility and liability aside, there is an amazing wealth of relevant information to be shared. There are a number of experts and organizations, both public and private, that perform exhaustive vulnerability research to understand what new threats look like, where they’re coming from, and how to protect against them. The relevance and value of using this wealth of information to improve security in irrefutable. Before you can use knowledge, you must acquire it, and that means sharing information.

Information SharingHowever, even if we do achieve the “near real-time sharing of cyber-threat information to assist participating critical infrastructure companies,” and even if this information is shared between federal agencies (which presumably have lots of knowledge to convert into power) and private industry, there’s still a fatal flaw.

If the information is available but not fully and effectively utilized, then knowledge is not power—it is simply knowledge. Books in a library, unread. A lecture, unattended.

It’s perfectly possible to utilize knowledge fully and effectively, but there’s still a strong reluctance to do so within industry because it requires capital and operational expense. There are many commercial tools available to squeeze the full defensive potential out of this information, but are these tools deployed? Even counted together, as a whole, the entire advanced threat protection market is far from ubiquitous.

Policy and practices, recommendations and risk assessments are all good, but you can’t defend against a cyber threat without a cyber defense. Technology is necessary to fight technology. And you can’t fight tomorrow’s threats with yesterday’s security technology. In the US, there are now budget dollars on the table, but will they be used wisely? Will they help realize the potential of the global cyber security industries’ collective knowledge? Information feeds aren’t enough, because sharing what already happened can’t protect us from what has yet to come. Technology needs to advance, to use the information that we have in new, predictive and powerful ways.

Otherwise, the threat will always remain ahead of the mitigation. Information sharing is by definition reactionary. One group will share with another group some details of some incident that has occurred in some place. Some vulnerability that has been exploited will be disclosed after the threat has been realized so that other potential targets can help to better defend against a similar attack. It might protect against the repetition of attacks across an industry, but the initial damage is done. As malware gets more complex, the initial attack is less likely to resemble subsequent attacks, further devaluing any mitigation against the initial vector.

Knowledge is power, but only when fully realized and effectively utilized. Unless the world’s critical industries change their fundamental attitudes towards implementing security, and move beyond baseline recommendations to implement cutting edge defenses, our efforts will fail. Our books will grow dusty. Our lecture hall will echo.

Related Reading: Threat Information Sharing – Fighting Fire with Fire

Related ReadingCombating Emerging Threats Through Security Collaboration

Written By

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...