Cyber info sharing: More noise than signal?
The need for timely sharing of information about both potential and actual attacks has been considered a prime focus for government and industry cybersecurity for at least the past decade. The 9/11 Commission report first brought to light the lack of intell sharing among agencies, for example, and that lack was seen extending into the cybersecurity realm.
The language used in the report, though aimed at terrorism, speaks as much to the problems surrounding cybersecurity today. The events of 9/11 showed "an enemy who is sophisticated, patient, disciplined, and lethal," and also the "fault lines within our government (and the) pervasive problems of managing and sharing information across a large and unwieldy government."
The Obama administration's most recent push to improve U.S. cybersecurity tries to ratchet up efforts to improve information sharing both within government and with the private sector. Shortly after, the administration announced the formation of a new Cyber Threat Intelligence Integration Center that's intended to be the government's focus for rapid collection and dissemination of information on cyberthreats.
How far this will go is an open question. While some have welcomed the new proposals, others wonder if the new center will just add to the organizational confusion. The National Security Agency, the Department of Homeland Security, the FBI and the military already have responsibility for collecting this kind of information and, after years of acrimony and pushback, they've managed to develop cohesion about sharing it.
Technically, the tools for sharing have also progressed, leading to a number of acronymic specs such as TAXII (the Trusted Automated eXchange of Indicator Information), STIX (the Structured Threat Information eXpression) and the Cyber Observable eXpression (cybOX). Joining them recently is the Data Aggregation Reference Architecture (DARA), a first response to the 2012 National Strategy for Information Sharing and Safeguarding.
These and other tools all perform important roles. DARA, for example, is aimed at providing a model for how various groups can pull data sets together in order to improve security while also protecting individual privacy, which has been one of the big stumbling blocks to sharing of information.
But is all of this enough? If 2014 showed anything, it's that cybersecurity efforts are falling behind the speed and the level of sophistication attackers apply to the way they get threats into the cyber infrastructure. President Obama in fact mentioned the attack on Sony Pictures late last year as just the latest reason behind his new legislative proposals.
Industry looks to the government for a lead on many aspects of cybersecurity, but the fact is that government is not noted for its speed in dealing with cyber threats, or for convincing industry to share information about attacks with it. However, it is trying. The FBI, for example, released an unclassified version of its Binary Analysis Characterization and Storage System (BACSS) as an additional incentive to public/private sharing.
Now industry seems to be expanding its own efforts to improve sharing. Facebook has launched a framework for "importing information about [threats] on the Internet in arbitrary formats, storing it efficiently, and making it accessible for both real-time defensive systems and long-term analysis." Early partners already include Bitly, Dropbox, Pinterest, Tumblr, Twitter and Yahoo.
Microsoft last year also introduced Interflow, its own attempt to collaborate more closely with the cybersecurity community. That adds to a number of other international collection and sharing efforts, as well as the global infrastructures that individual security companies have established to collect information about threats.
There are still major barriers to sharing, particularly privacy and the need for encryption. How government manages to live within, and profit from, this growing sharing ecosystem while improving how fast it reacts to threats is the real question it has to address.
Posted by Brian Robinson on Feb 13, 2015 at 9:41 AM