CyberEye

Blog archive
Cyber info sharing: More noise than signal?

Cyber info sharing: More noise than signal?

The need for timely sharing of information about both potential and actual attacks has been considered a prime focus for government and industry cybersecurity for at least the past decade. The 9/11 Commission report first brought to light the lack of intell sharing among agencies, for example, and that lack was seen extending into the cybersecurity realm.

The language used in the report, though aimed at terrorism, speaks as much to the problems surrounding cybersecurity today. The events of 9/11 showed "an enemy who is sophisticated, patient, disciplined, and lethal," and also the "fault  lines within our government (and the) pervasive problems of managing and sharing information across a large and unwieldy government."

The Obama administration's most recent push to improve U.S. cybersecurity tries to ratchet up  efforts to improve information sharing both within government and with the private sector. Shortly after, the administration announced the formation of a new Cyber Threat Intelligence Integration Center that's intended to be the government's focus for rapid collection and dissemination of information on cyberthreats.

How far this will go is an open question. While some have welcomed the new proposals, others wonder if the new center will just add to the organizational confusion. The National Security Agency, the Department of Homeland Security, the FBI and the military already have responsibility for collecting this kind of information and, after years of acrimony and pushback, they've managed to develop cohesion about sharing it.

Technically, the tools for sharing have also progressed, leading to a number of acronymic specs such as TAXII (the Trusted Automated eXchange of Indicator Information), STIX (the Structured Threat Information eXpression) and the Cyber Observable eXpression (cybOX). Joining them recently is the Data Aggregation Reference Architecture (DARA), a first response to the 2012 National Strategy for Information Sharing and Safeguarding.

These and other tools all perform important roles. DARA, for example, is aimed at providing a model for how various groups can pull data sets together in order to improve security while also protecting individual privacy, which has been one of the big stumbling blocks to sharing of information.

But is all of this enough? If 2014 showed anything, it's that cybersecurity efforts are falling behind the speed and the level of sophistication attackers apply to the way they get threats into the cyber infrastructure. President Obama in fact mentioned the attack on Sony Pictures late last year as just the latest reason behind his new legislative proposals.

Industry looks to the government for a lead on many aspects of cybersecurity, but the fact is that government is not noted for its speed in dealing with cyber threats, or for convincing industry to share information about attacks with it. However, it is trying. The FBI, for example, released an unclassified version of its Binary Analysis Characterization and Storage System (BACSS) as an additional incentive to public/private sharing.

Now industry seems to be expanding its own efforts to improve sharing. Facebook has launched a framework for "importing information about [threats] on the Internet in arbitrary formats, storing it efficiently, and making it accessible for both real-time defensive systems and long-term analysis." Early partners already include Bitly, Dropbox, Pinterest, Tumblr, Twitter and Yahoo.

Microsoft last year also introduced Interflow, its own attempt to collaborate more closely with the cybersecurity community. That adds to a number of other international collection and sharing efforts, as well as the global infrastructures that individual security companies have established to collect information about threats.

There are still major barriers to sharing, particularly privacy and the need for encryption. How government manages to live within, and profit from, this growing sharing ecosystem while improving how fast it reacts to threats is the real question it has to address.

Posted by Brian Robinson on Feb 13, 2015 at 9:41 AM


inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Wed, Feb 18, 2015 Brian Robinson

Michael, I have no problem with your overall thesis, though I think it's largely historical. Security certainly was seen in industry as a mysterious hole, investment in which had no obvious payback. To some extent that same mentality has been evident in government agencies, outside the intell communities, as agency heads juggled shrinking budgets and security took a backseat beyond the efforts needed to meet the box ticking required of FISMA etc. I think that is changing. The past couple of years with Snowden et al has raised awareness in government circles, and critically with government execs, of the need for better security. And I think the industrial instances of breaches at Target, Home Depot and, yes, Sony has taken the issue to a new level in that arena. (I disagree with you about no account holder injury with Target - ask the former CEO there). Do we have "real" engagement yet? No, but it's a lot better than it was. And the reality for industry is that cybersecurity legislation that will affect how they conduct their security operations will be forthcoming, possibly this year. Industry does increasingly look to government for technical guidance on cybersecurity, and I think there will be more, albeit reluctant, looking on regulatory issues.

Wed, Feb 18, 2015 Hus http://www.codicescontoit.com

thanks for the valuable info.

Tue, Feb 17, 2015 Michael Aisenberg Palm Beach FL

Brian has aptly described the As Is environment. But only at the biographical level. And with one glaring error. That error is the notion that "industry is looking to government" for direction, guidance or leadership on cybersecurity. As Stratton Sclavos used to say while CEO of VeriSign, even in the face of attacks against their peers, it was a very hard sell to get CEOs of other companies to invest in security tools when the evidence of attacks against their own assets was missing; much better, they reasoned to spend the $10 million on marketing that would provide immediate ROI. So they are NOT looking for leadership; they are looking to be left alone and insulated from injury. They do not understand the shared risk nature of the benefits and massive productivity increase they reap from the network.
The essay is a bit thin on defining the sins of the past and present Adminsitrations' responses to this reality. The last administration though populating government cyber policy with corporate cops and bean counters would be the right response; unfortunately, most efforts supported "force protection" for classified networks and left the economy's Critical Infrastructure sectors to fend for themselves. This Administration, recognizing some of the error of therapist, looked to cyber technocrats, who are equally clueless about how to get their former peers to ADOPT anything they can not justify to shareholders. Certainly, voluntary Cyber Frameworks make an interesting read, but in the absence of demonstrated harm (even the massive Target "breach" has yet to evidence substantial accountholder injury, and Sony--well Sony was Sony--did you see the movie ?) the investments in real security are not going to be bolted on unless it makes economic sense. No number of Computer Science PhDs can move stock prices as acts of faith...What is required, IMO, is REAl engagement between USG policy makers and corporate leaders...not the NIST Workshops and phony baloney pre-baked scripted Cyber Summits and "voluntary Frameworks"...the threats are real, and some sectors are taking collective steps to address them (Banking FS-ISAC, Chem sector), but as to the rest, DONT go looking to government for help--indeed, it may be one of the major obstruction points towards progress...until it understands the industry and its motivations much better than it does at the moment.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities