Experts propose better cybersecurity information-sharing models

November 14, 2013

Brandan Blevins

BOSTON -- Better cybersecurity information sharing has long been a priority for the security industry, but significant hurdles have always halted the progress of sharing initiatives. At the annual ACSC conference, security leaders from government, education and private industry made another attempt at cracking the info-sharing chestnut.

Hosted at the Federal Reserve Bank of Boston, the day-long Advanced Cyber Security Center (ACSC) event focused on the many challenges standing in the way of prompt security information sharing, from legal implications to a simple lack of trust. Phyllis Schneck, deputy under secretary for cyber security for the National Protection and Programs Directorate of the U.S. Department of Homeland Security, opened the conference with a call to arms for security pros.

"We face an adversary that has no lawyers, no laws … and plenty of money," Schneck said. "How do we fight back? We take our infrastructure back."

Previously the chief technology officer for the Global Public Sector division of security vendor McAfee Inc., Schneck has only been in her government role since August, but emphasized that her No. 1 priority is building trust between the government and the private sector.

Schneck acknowledged the challenges that have plagued information sharing between government agencies and industries in the past. When an organization would send information off to the government, for example, the company would often never receive anything back, or if some information related to the response was classified, the response may not necessarily be actionable. Alternatively, in a situation where a private company shares sensitive information that is later made public, the company could suffer by way of falling stock prices and shareholder lawsuits over potential negligence.

"I'm from [the] industry and I want to know how to build this bridge," she said. "We have the ability to defeat this adversary … by building trust."

As for actually improving information sharing, Schneck envisioned implementing lightweight sensors in enterprise networks across the country that could feed information to the government, which could then disseminate that data back out to private companies. Much like how a human body doesn't need to ask for permission to fight off a virus, she said such an initiative could give nearly real-time threat information to companies so they could better defend themselves.

"When machines talk, there isn't any reason they can't tell each other something bad is coming," Schneck commented. "Global situational awareness is the dream, and we plan to live that dream by engaging people to get their trust and [by incentivizing] companies to build something into their networks that talks to these protocols."

Expert panel details information-sharing challenges

In a panel hosted by retired U.S. Navy Rear Admiral Mike Brown, several experts delved into the problems they've experienced with threat information sharing in the past and discussed models that would push the status quo forward.

Panelist Gary Gagnon, the chief security officer with the MITRE Corp., said one of the chief issues he has encountered has been the desire of info-sharing partners to remain anonymous. Though he conceded that there are legitimate reasons for doing so, Gagnon said anonymity destroys the valuable ability to pick up a phone and discuss what kind of attacks are targeting a partner.

"I'm not saying [remaining] anonymous is always bad," he said, but "it sometimes slows down the process."

Gagnon also advocated for more managed security services to make their way to the market, with a particular focus on serving smaller companies that usually lack the finances and capabilities to take full advantage of cybersecurity information-sharing programs. Such services could wade through the overwhelming amounts of data sent by the government and other entities and apply the relevant aspects to a smaller organization.

Panelist Kathleen Moriarty, global lead security architect at Hopkinton, Mass.-based EMC Corp., advocated for "operator-driven models" of information sharing, where threat information is sent directly to those organizations that can stop an attack before it ever hits a network.

As a successful example of such a model, she pointed to the Anti-Phishing Working Group (APWG), which collects information on potential phishingsites, analyzes that info and then sends it to Internet service providers that can take the necessary action to block points of origin -- all without ever involving customers.

Panelist Eric Burger, director at the Georgetown University Center for Secure Communications, implied that the government can't really do anything when it comes to many of the issues brought up at the ACSC conference, apart from identifying and arresting an attacker. Instead, businesses will increasingly need to communicate among each other if they want to share vital threat information -- something that's already happening across various industries via the National Council of ISACs, though with varying degrees of success.

Similarly, Burger and his team at Georgetown have come across many challenges regarding private industry security information sharing. For example, he pointed to various legal rulings around the world regarding whether an IP address is considered personally identifiable information (PII). A court in Illinois ruled that an IP address isn't PII, he said, but various European Union members may not agree. If the Germany-based branch of a U.S. business shares information about an attack originating from a certain IP address, he pondered, can that information be shared across the company?

"We realized the barriers to information sharing weren't the need for protocols," Burger said, "but [the] law."

Though security information-sharing hurdles was the theme throughout the day, all were in agreement that the benefits could be vast and the problem requires more attention.

Summing up the thoughts of the room, Adm. Brown compared the need for information sharing to the recent Boston Red Sox World Series triumph. Having fallen apart in previous years, Brown noted the 2013 team had gone from last place in the AL East to first by working together, a turnaround that could serve as inspiration for the security industry.

"If you're a team of individualists, you'll fail like 2012," Brown said. "If some of you out there don't think information sharing is important … you're obviously not a Red Sox fan, and you know where the door is."