Silence isn’t golden: Information sharing is key to combating cyber attacks
More communication between public, private sectors needed to effectively disseminate threat data
By Bill Conner, Special to ThirdCertainty
Cybersecurity continues to bolster the focus of national—and global—attention, with cybersecurity professionals gaining significant strides against international cyber crime.
Most recently, two Russian intelligence officers and two criminal hackers were charged in a Yahoo data breach incident, which started in January 2014 and involved 500 million compromised Yahoo accounts.
Related story: 3 things to consider about the Yahoo breach
The U.S. Department of Justice and FBI are calling the indictments a victory for information sharing and encourage other companies to report breaches to the federal government. This example touts the importance of proactive engagement and cooperation between public sectors and the government, but it also raises the need for legislation that removes barriers for collaboration and information sharing among public institutions and between public and private institutions.
Information sharing is one of the most vital keys to cybersecurity, but it’s one of our weakest points as a nation today. There’s an undeniable isolationist bent among U.S. government institutions at the moment, both in terms of how they collaborate with one another and with foreign governments.
Businesses leery of sharing
On the private side, the Cybersecurity Information Sharing Act of 2015 aimed to encourage the free flow of information among private and public institutions. However, many companies have been reluctant to participate in information sharing due to concerns about potential lawsuits, fear of losing customers over perceived security gaps, and confusion surrounding the regulatory stipulations about sharing certain data.
It’s also worth noting that there has been no legislation that compels public institutions to share cybersecurity information with the private sector, creating an environment of distrust and continued informational gaps.
Get everyone on same page
The first step to addressing these challenges is creating a standardized framework for the entire United States so that cybersecurity teams have a common parlance and clear imperatives to make communication easier. The National Institute of Standards and Technology (NIST) Cybersecurity Framework, which is a voluntary guidance for critical infrastructure organizations to better manage and reduce cybersecurity risk, may be an ideal model.
However, any legislation, executive orders or state regulations being introduced also need to ensure private companies feel protected, informed and empowered to share information. That may mean government agencies need to make that communication a two-way street.
They also may need to open the gates between agencies and even between allied governments in order to fill in vital information gaps and make overall defenses quicker and more surgical. Entrenched norms can be difficult to change, but the ramifications for allowing this institutionalized silence to continue may be disastrous.
After all, there are few, if any, barriers stanching the flow of information among cyber criminals, and they’re adapting and evolving every day as a result.
More stories related to information sharing:
Obama orders companies, government to share threat intel
Billion-dollar bank heists highlight lack of intel sharing
Tech rivals share intel to repel Chinese hackers