Common language is needed for cybersecurity info sharing
Lack of a common way of defining and speaking about threats, risk and incidents hampers security efforts
Amit Yoran, former cybersecurity director at the Homeland Security Department, had some sobering words last week about the battle for cybersecurity. “We lost,” Yoran, now chief executive officer of NetWitness Corp., said at the Symantec Government Symposium in Washington. “We lost the cyber war over the last 15 years. Our computing environment is already compromised,” and things are likely to get worse going forward because we do not really understand security. “We lack any meaningful metrics or measures to say how secure a system is.”
How can this be, when we have so many really bright, dedicated people working hard to improve security? It no longer is true that the best minds are on the side of the hackers. The dark side of cyberspace has been co-opted by organized crime, entrepreneurs of questionable integrity and, possibly, terrorists. Sure, they have some bright people on their side, but much of the process of illegal hacking has been mechanized to the point that it involves automation, not innovation. The really smart people, whether they are driven by money or a thirst for recognition, are working today on the side where the real challenge is: with the good guys.
At least part of the problem was identified by U.S. Computer Emergency Readiness Team Director Mischel Kwon: We lack a common language for discussing many of the elements of security. “We need to reinvent not only how we do incident response, but how we talk about events,” Kwon said at the symposium.
More and more, security is about cooperation and information sharing. The defining characteristic of cyberspace is its interconnectedness and lack of borders. A person with a smart phone in Bangalore can reach out and touch servers in Washington, Buenos Aires and Tokyo. Separate silos of security are as easily circumvented today as was the Maginot Line of 1941. The mantra of security today is partnerships.
But we lack a common way of defining and speaking about threats, risk and incidents. “Sharing all information is not necessarily the responsible thing to do,” Kwon said. Knowing when to share information, what to share and whom to share it with is difficult if we don’t first share a common nomenclature.
To quote Strother Martin, “What we've got here is failure to communicate.”
Progress is being made in this area, with efforts such as the common vulnerability schemes developed and maintained by Mitre Corp. and the National Institute of Standards and Technology. Availability of standardized references is important, but not sufficient.
There are other problems as well, including an unwillingness to share, regardless of the language being used. This has long been a complaint made about the government in its public/private partnerships.
“The government loves to put itself in the middle of a PowerPoint slide with all the arrows pointing in,” Yoran said. Real cooperation requires that both sides get something out of the relationship, that value is received for value given.
But underlying everything is communication. As Symantec Corp.’s strategic programs manager John McCumber said, “We don’t know the difference today between what is a technical problem and what is a policy problem.”
McCumber, who has also served at DISA and NSA, takes a Zen view of security, calling it a journey rather than a destination. “Security is an ideal,” he said. “Like love.” And we all know how much trouble love can be, especially when the parties cannot communicate. “The most important thing we have to do is use the right lexicon.”