|Don't Be Afraid of Cybersecurity Information Sharing|
Kimberly Peretti and Lou Dennig, Corporate Counsel
Recent government action has shown that the White House and Congress are keenly aware of the potential data security benefits of robust information sharing between and among the private sector and the government. Last year, President Barack Obama unveiled an executive order (EO) to improve the cybersecurity of critical infrastructure entities that highlighted the important role information sharing must play. In recent years, information sharing bills have been introduced regularly in both the Senate and the House, and again on July 10, Sen. Dianne Feinstein, D-Calif., introduced the Cybersecurity Information Sharing Act of 2014 (CISA) in an effort to encourage the flow of cyberthreat data between the private sector and the government.
Companies are already sharing cyberthreat data, but many remain leery as they engage in this largely unchartered territory. This article will analyze the primary concerns raised by companies and highlight steps they can take to safely share information and leverage this important weapon against cybercrime.
The Benefits of Sharing
Receiving critical threat data has been shown to be an effective tool in both preventing cyberattacks and mitigating the effects of ongoing attacks. In a recent study, PricewaterhouseCoopers found that 82 percent of companies with “high-performing security practices collaborate with others to deepen their knowledge of security and threat trends.” IT security professionals also understand that information sharing is an integral part of defending their company from cyberattacks. Their belief is warranted, as last year one of the most highly respected information sharing platforms, the Financial Services Information Sharing and Analysis Center (FS-ISAC), was able to significantly mitigate the effects of a cyberattack on the sector by analyzing threat information it received from some of its members and quickly pushing it out to other financial institutions. In July, the concrete benefits of information sharing made headlines when the retail unit of a Fortune 100 company announced that it discovered malware on its system as a result of receiving threat intelligence from a government advisory. As those examples show, threat data is pushed out to companies from a variety of sources stemming from both the private sector and government.
As information sharing has increasingly been lauded as an effective tool in combating cyberthreats, the available platforms and methods for sharing such information have grown. Information security professionals have long relied on informal and semistructured networks and relationships with individuals in peer organizations to gain better insight into cybersecurity threats and vulnerabilities. While informal sharing remains the most common method, more formal mechanisms and platforms are gaining traction.
One mechanism, the post-to-all model, is similar to listservs. Organizations can post information regarding a cybersecurity incident to a message board or send out an email to a large group. In another model, certain business sectors have pooled their resources to create or join existing information sharing and analysis centers (ISACs), such as FS-ISAC. ISACs are sharing platforms designed to streamline the collection, analysis and dissemination of threat intelligence within a given sector. They follow a hub-and-spoke model in which companies send cyberthreat data to a common hub that organizes and analyzes the data before sending actionable threat intelligence out to ISAC members. Critical infrastructure sectors such as banking, energy and telecommunications have developed ISACs to more efficiently leverage threat data. An added benefit of ISACs is that they can become established, trusted entities with which the government feels comfortable sharing its valuable threat intelligence.
The government is a particularly useful source of threat data, in part because it obtains intelligence from such a wide variety of sources, be it law enforcement investigations into hacking groups, intelligence gathering activities or agencies monitoring their own systems for signs of cyberthreats. In 2009 the U.S. Department of Homeland Security (DHS) created the National Cybersecurity and Communications Integration Center (NCCIC), which is essentially a central repository of the critical threat data known to the government at federal, state and local levels. NCCIC works in collaboration with many ISACs to provide this trove of information to the private sector so that companies may better defend themselves from cyberattacks. Since the administration released the EO on protecting U.S. critical infrastructure last year, NCCIC has become a more visible and active entity that is now the primary gateway through which the private sector interacts with the government to share and receive threat data.