Designing the future of cyber threat intelligence sharing
By Katie Donegan
Cybersecurity information sharing mutually benefits public and private parties, alerting them to new intelligence on risks and defense tactics. After all, the more information available to security teams, the better equipped they are to make decisions about threat defense and response.
In order to create collaborative public-private partnerships for information exchanging, however, gaps in threat sharing must be fixed, threat intelligence sharing platforms must be built and, above all, trust must be established and maintained between participating parties.
Speakers at the Advanced Cyber Security Center (ACSC) conference in Boston gathered to assess the current state of collaborative defense and explore the roles governments and private sector companies play in the future of cybersecurity collaboration in a world of ever-changing threats.
Selling the idea of cybersecurity collaboration
Data shared during cybersecurity collaboration can benefit CISOs and their organizations in many ways. Intel can be incorporated into security awareness training programs, and aggregated knowledge can provide insight into threats such social engineering emails. Sharing this intelligence with employees empowers them with the understanding that they provide protection against bad actors.
Cybersecurity threat intelligence sharing can also provide prospective buyers with information necessary to make purchase decisions. Most importantly, it facilitates trust between organizations — a critical aspect when agencies need to partner in the event of a security incident.
Public-private cybersecurity collaboration has been bolstered by issues of election security and ransomware attacks on state and local governments — and the stakes are high. ACSC speaker David Newman, partner at the international law firm Morrison & Foerster, emphasized the importance of shifting attitudes about collaboration, starting with the government.
“Pre-9/11, the government had a Cold War, espionage mentality when it came to intelligence. They didn’t share with the private or public sectors,” Newman said. “There needs to be a paradigm shift. This cannot be a Cold War. Election security hangs in the balance.”
Legislative efforts to enable threat intelligence sharing between public and private sectors have been made. 2015’s Cybersecurity Information Sharing Act (CISA), for example, authorized cyber information sharing among federal, state, local and tribal goverments and private sector organizations. However, due to the fact that CISA participation is voluntary for nongovernmental organizations, the number of private sector organizations taking part is dramatically low.
More challenges to defense collaboration
Lack of government-led threat sharing efforts isn’t the only thing worrying the ACSC speakers. Representing financial services, healthcare and technology industries, universities and the Commonwealth of Massachusetts, the participants outlined multiple pain points as barriers to successful collaborative defense partnerships between the private sector and the government.
In his appeals for a collaborative approach to cyberdefense, Morrison & Foerster’s Newman drew upon his professional experience in government as a senior White House and U.S. Department of Justice attorney.
“Right now, there is a trust gap. CISOs are saying, ‘We’re not getting the assistance we need from the government,'” he said, adding that the government needs to get its messaging right to build a strong foundation for partnership through trust.
Post-9/11, efforts to share terrorism-related intel across agency lines were galvanized. A similar collective effort needs to happen on the cyber side, Newman said. But, to make any such effort worthwhile, the government needs more resources.
Plus, in the past, there has been a turf struggle within state agencies when it comes to security responsibilities, added Curtis Wood, secretary of the Massachusetts Executive Office of Technology Services and Security (EOTSS).
“We’ve created a competition inside government. Everyone struggles with who is in charge and who can share what information,” Wood said.
However, Wood has seen some progress in public-private collaboration from his vantage point at EOTSS. When conversations between vendors and governments transition from strictly sales or product transactions to industry trends and new threats, Wood said, he sees the spirit of collaboration and potential. But, he added, “I still would like to see action, not just talk.”
Enterprise leaders also experience the patchwork nature of private sector regulation as a disincentive to cooperate with the government on threat intelligence sharing initiatives. “Meaningful compliance is hard,” Newman said.
Larry Clinton, president of Internet Security Alliance, echoed Newman’s sentiment. He said streamlining regulation should be a government priority. Eliminating “undue burdens” on organizations, particularly small businesses, Clinton said, creates more hope for success in public-private cyber collaboration. Addressing inconsistencies and the cost-prohibitive aspect of private sector regulation, he argued, could enable success for the regulation itself, as well as for companies seeking compliance, and, at the same time, demonstrate a good faith effort on the part of government to encourage collaboration with the private sector.
Another obstacle to a constructive threat intelligence sharing partnership is the cybersecurity skills gap currently facing the industry — especially in the government. The current government workforce is less than tech-savvy, Newman said, but he acknowledged the difficulty of bringing in new talent to fill the 500,000 open positions in cybersecurity.
“The government is able but not skilled,” he said. Investment in workforce training, he added, is critical to build a security culture suitable for successful public-private collaborative defense against threats.
What would an ideal information sharing partnership look like?
In addition to making intelligence sharing the new normal, speakers from both sectors agreed on the need for a secure threat sharing platform. One way to get such a project off the ground, the speakers agreed, is to attract business leaders to the initiative. Infosec leaders must make enterprise-wide risk management an economic issue, not just an IT one.
One speaker suggested architects of the next-generation threat intelligence sharing platforms should take a page from the cybercriminal’s book.
Christopher Ahlberg, CEO and founder of real-time threat intel company Recorded Future, pointed out ways criminals excel at collaboration. He explained how some cyber-minded people flock to criminal activity because they lack an outlet for their skills: “Their vertical capability and infiltration techniques require coordination with others. Criminals run forums and chatrooms to communicate.” Such infrastructure could also help private and public parties penetrate and glean information, too, he said.
The ideal threat intelligence platform should do more than serve simply as a dumping ground for information display, said Sandy Carielli, analyst at Forrester Research. Dashboards should be a destination for people looking for comprehensive data analysis to glean real insights, she said, adding that it would likely be designed by developers in the private sector.
Recorded Future’s Ahlberg agreed: “We need to build the Bloomberg of cybersecurity.” The ideal platform must offer updates in real time, he said — it would be helpful for platform users to have ticker tape at the bottom of the screen with to-the-minute intelligence on vulnerabilities and breaches.
While there was a consensus among ACSC speakers and attendees on the need for collaboration, there was another consensus: Everything starts with improvements in public-private relations. Trust-building efforts, such as establishing communication channels and better treatment from enterprise victims of data breaches, were two other key takeaways from the ACSC panels. A human element is part of that, too. By engaging with professionals on the other side, threat intelligence sharing can become a more attainable effort.