Silence isn’t golden: Information sharing is key to combating cyber attacks

More communication between public, private sectors needed to effectively disseminate threat data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Cyber­se­cu­ri­ty con­tin­ues to bol­ster the focus of national—and global—attention, with cyber­se­cu­ri­ty pro­fes­sion­als gain­ing sig­nif­i­cant strides against inter­na­tion­al cyber crime.

Most recent­ly, two Russ­ian intel­li­gence offi­cers and two crim­i­nal hack­ers were charged in a Yahoo data breach inci­dent, which start­ed in Jan­u­ary 2014 and involved 500 mil­lion com­pro­mised Yahoo accounts.

Relat­ed sto­ry: 3 things to con­sid­er about the Yahoo breach

The U.S. Depart­ment of Jus­tice and FBI are call­ing the indict­ments a vic­to­ry for infor­ma­tion shar­ing and encour­age oth­er com­pa­nies to report breach­es to the fed­er­al gov­ern­ment. This exam­ple touts the impor­tance of proac­tive engage­ment and coop­er­a­tion between pub­lic sec­tors and the gov­ern­ment, but it also rais­es the need for leg­is­la­tion that removes bar­ri­ers for col­lab­o­ra­tion and infor­ma­tion shar­ing among pub­lic insti­tu­tions and between pub­lic and pri­vate insti­tu­tions.

Infor­ma­tion shar­ing is one of the most vital keys to cyber­se­cu­ri­ty, but it’s one of our weak­est points as a nation today. There’s an unde­ni­able iso­la­tion­ist bent among U.S. gov­ern­ment insti­tu­tions at the moment, both in terms of how they col­lab­o­rate with one anoth­er and with for­eign gov­ern­ments.

Busi­ness­es leery of shar­ing

 On the pri­vate side, the Cyber­se­cu­ri­ty Infor­ma­tion Shar­ing Act of 2015 aimed to encour­age the free flow of infor­ma­tion among pri­vate and pub­lic insti­tu­tions. How­ev­er, many com­pa­nies have been reluc­tant to par­tic­i­pate in infor­ma­tion shar­ing due to con­cerns about poten­tial law­suits, fear of los­ing cus­tomers over per­ceived secu­ri­ty gaps, and con­fu­sion sur­round­ing the reg­u­la­to­ry stip­u­la­tions about shar­ing cer­tain data.

It’s also worth not­ing that there has been no leg­is­la­tion that com­pels pub­lic insti­tu­tions to share cyber­se­cu­ri­ty infor­ma­tion with the pri­vate sec­tor, cre­at­ing an envi­ron­ment of dis­trust and con­tin­ued infor­ma­tion­al gaps.

Get every­one on same page

The first step to address­ing these chal­lenges is cre­at­ing a stan­dard­ized frame­work for the entire Unit­ed States so that cyber­se­cu­ri­ty teams have a com­mon par­lance and clear imper­a­tives to make com­mu­ni­ca­tion eas­i­er. The Nation­al Insti­tute of Stan­dards and Tech­nol­o­gy (NIST) Cyber­se­cu­ri­ty Frame­work, which is a vol­un­tary guid­ance for crit­i­cal infra­struc­ture orga­ni­za­tions to bet­ter man­age and reduce cyber­se­cu­ri­ty risk, may be an ide­al mod­el.

How­ev­er, any leg­is­la­tion, exec­u­tive orders or state reg­u­la­tions being intro­duced also need to ensure pri­vate com­pa­nies feel pro­tect­ed, informed and empow­ered to share infor­ma­tion. That may mean gov­ern­ment agen­cies need to make that com­mu­ni­ca­tion a two-way street.

They also may need to open the gates between agen­cies and even between allied gov­ern­ments in order to fill in vital infor­ma­tion gaps and make over­all defens­es quick­er and more sur­gi­cal. Entrenched norms can be dif­fi­cult to change, but the ram­i­fi­ca­tions for allow­ing this insti­tu­tion­al­ized silence to con­tin­ue may be dis­as­trous.

After all, there are few, if any, bar­ri­ers stanch­ing the flow of infor­ma­tion among cyber crim­i­nals, and they’re adapt­ing and evolv­ing every day as a result.

More sto­ries relat­ed to infor­ma­tion shar­ing:
Oba­ma orders com­pa­nies, gov­ern­ment to share threat intel
Bil­lion-dol­lar bank heists high­light lack of intel shar­ing
Tech rivals share intel to repel Chi­nese hack­ers