In the field of information security, many experts believe that broader sharing of information about online threats and attackers equates to more security for all of the Internet’s users. In reality, however, the two biggest targets and collectors of this intelligence – private sector firms and national governments – often have competing objectives.
Eugene Spafford, a professor of computer science at Purdue University in West Lafayette, Indiana (USA), said both sides are beset by stumbling blocks of their own making. “The government often doesn’t want to disclose (information) because it may expose their sources and methods,” Spafford said. Therefore, government-monitored attacks against corporations are often allowed to continue for months or years, to collect information on the attackers’ methods, before victims are notified – if they ever are.
“Governments also tend to overclassify a lot of the data because they simply don’t know how best to manage it,” Spafford said. “What prevents companies from sharing threat information is that many of them have no confidence in their own security. They fear that if they share too much, it may draw attention to ways in which they’re not well-protected.”
To address some of these hurdles, lawmakers in the United States have been debating a controversial proposal called the “Cyber Intelligence Sharing and Protection Act” (CISPA), which seeks to make it simpler for companies to share cyberattack data with the government. However, action on CISPA has been derailed by whistleblower revelations on the extent of the US National Security Agency’s surveillance programs.
“CISPA has the potential to aggregate a lot of data, potentially creating a much bigger target for criminals and cyberspies,” Spafford said. “Also, one important privacy principle is to limit the scope and lifetime of the collected data, but neither is particularly addressed in this effort.”
One universal challenge with information sharing between the public and private sectors is managing expectations, says Erik de Jong, a cybercrime expert with FoxCERT, a security services firm based in the Netherlands. De Jong said although the Dutch government emphasizes the importance of information sharing, in practice it shares a limited amount of cyber intelligence with the private sector.
“I think this is not necessarily a result of not being willing, but rather the result of an unclear mandate,” he said. “There are claims of support by the government, but when the rubber meets the road it turns out that what is being delivered doesn’t match with the expectations that private organizations have.”
De Jong said it is easy to talk about sharing to create “a more secure Internet” and “a more secure digital society.” While this may be a primary interest of a government, he believes that it is – at best – a secondary interest for most private organizations.
“The primary interests of private organizations, I think, are often not really explicitly mentioned or considered by government organizations,” de Jong said. “I think it would be more fair and more effective if both parties acknowledge each other’s primary interests in order to know what you can and cannot expect from each other.”
HOW MUCH TO SHARE?
Some argue that a cottage industry of cyber-intelligence vendors – as well as pending legislative plans to facilitate information sharing between the public and private sectors – gloss over a larger problem: How to know what information to share, with whom and when?
“The discussions we’ve been having about liability protection and data anonymity and secrecy are all, forthe most part, red herrings for people who just don’t really want to share,” said Alan Paller, director of research for the SANS Institute, a security research and training group based in Bethesda, Maryland (USA). “Even if there were the incentive or desire to share more, it wouldn’t be effective when people really need it. In the middle of an attack it’s very difficult to know what’s going on; after an attack there is just so much data that it buries people.”
Rather, Paller suggests, governments should require cyber-intelligence providers – particularly those that make the bulk of their money through taxpayer-funded government contracts – to extract and share more key pieces of attack data from victim organizations.
“At least in the United States, lots of (cybersecurity) companies get hired to help firms respond to data breaches; in many cases the victims are legally required to hire one of these companies,” Paller said. “The government has a right to get more metadata out of those investigations.”
The US Centers for Disease Control and Prevention (CDC), which collects data from hospitals and physicians in a bid to arrest the spread of infectious diseases, could be a useful model for cybersecurity collaboration, Paller said.
Such a system might involve licensing certain companies to be cyber-incident handlers. Organizations whose security has been breached would be legally required to work with one of the licensed incident handlers, which could then aggregate and share insights with government security interests without disclosing any individual data. ◆