In the early days of the Obama administration, the president declared cyberspace a critical asset. Since then, little more than lip service has been paid on a policy level to the security of the country’s critical infrastructure, despite increasing public awareness of the problem and high-profile attacks on business and government alike.

Congress this summer had two cracks at passing some sort of legislation that would address critical infrastructure security and more, and both times the bill failed to pass the legislature. We now breathlessly await an Executive Order from the president that will likely lay the groundwork for more proposed legislation once Congress returns to session next year.

In the meantime, some work has moved the issue forward. Presidential Policy Directive 20 appeared in October, a secret directive that essentially laid some offensive and defensive ground rules in place for the U.S. military in case of a cyberattack on the country.

Yesterday, there was more movement. The White House released the National Strategy for Information Sharing and Safeguarding which is a framework for government agencies to share attack data to repel terrorist threats, cyberattacks and more.

Information sharing in information security circles has almost become a laughable cliché. Aside from the Financial Services ISAC and a couple of other regionalized efforts, very little formalized organized sharing of data goes on. Most of it is ad hoc, between peers, college buddies and trusted experts. Most companies fear competitive and/or legal repercussions if the wrong kind of data is shared. Most complain about the lack of a mechanism that would sanitize and anonymize data on attacks and defensive best practices that could be shared across industries.

Attackers have better sharing networks than we do,” RSA Security president Tom Heiser said during a recent security event in Boston. “The complexity of privacy laws we must follow and the legal liabilities in front of us are tying our hands. We have to find a way to increase sharing and visibility of networks while still protecting the privacy of our citizens.”

Small collaborative forums are trying to nudge vertical and horizontal information sharing along. It’s a necessity because on the enterprise side, boards of directors are asking good questions about threats to data and the bottom line. Security and IT managers better have answers and better understand risk, and speak to directors in those terms.

Any repository of threat and risk intelligence would be welcomed with open arms by executives inside organizations. One company’s contained threat could be a massive risk to someone else. How invaluable would it be to have a mechanism to host that data that is accessible and actionable by someone else?

The president’s new strategy said as much: “Our national security depends on our ability to share the right information, with the right people, at the right time. This information sharing mandate requires sustained and responsible collaboration between Federal, state, local, tribal, territorial, private sector, and foreign partners. Over the last few years, we have successfully streamlined policies and processes, overcome cultural barriers, and better integrated information systems to enable information sharing. Today’s dynamic operating environ­ment, however, challenges us to continue improving information sharing and safeguarding processes and capabilities,” the report said.

The strategy stresses that information must be treated as a national asset and such data must be made available to support national security, it states. It also urges agencies to work together to identify and reduce risks, rather than not share at all. Information, the document states, must underlie all decisions.

The president hopes the strategy achieves five goals:

  1. Drive collective action through collaboration and accountability: Using models to build trust and simplify the processes for sharing
  2. Improve information discovery and access through common standards: Doing so paves the way for less ambiguous policies. To achieve this, secure access via authentication and authorization controls, data classification and sharing standards is vital.
  3. Optimize mission effectiveness through shared services and interoperability: Bettering the efficacy of how information is acquired and shared is key here.
  4. Strengthen information safeguarding through structural reform, policy and technical solutions: This calls for controls on data, monitoring for insider and external attacks to better stave off threats to systems and information.
  5. Protect privacy, civil rights and civil liberties through consistency and compliance: Public trust must be a key consideration here, the document stresses. Privacy and civil protections must be built into any sharing mechanism.

Information and attack intelligence will serve any organization better than the latest, shiniest security technology. Enterprises and government agencies are constantly being told that situational awareness is required to fend off advanced threats from China, Russian cybercriminals and hacktivists. All well and good, but if we expect companies and agencies to deploy some sort of continuous monitoring, information and intelligence has to be at the backbone of those efforts. Otherwise, like the two shots Congress had at passing cybersecurity legislation, that will fail too.

Categories: Government

Comments (2)

  1. Gary Driggs
    1

    In addition to the sixteen ISACs that share information with each other, I can think of at least a half dozen crowd sourced or completely public threat intelligence sharing orgs like Emerging Threats. What I am not aware of, however, is a coalition of anti-virus and IPS/IDS vendors that share their threat intelligence freely with each other and the public. If a company like Kaspersky would be willing to step forward as an industry leader in this effort, perhaps others will follow suit.

  2. Dave Norton
    2

    Sounds good… but one item in the list of the President’s goals especially caught my attention:

    “The president hopes the strategy achieves five goals:

    <snip>

    3. Optimize mission effectiveness through shared services and interoperability: Bettering the efficacy of how information is acquired and shared is key here.

    <end>”

    To begin with, where I come from “hope” is not a strategy…

    As an adamant three-decade proponent of “interoperability” I’m all too familiar with this two-edged sword. It’s predicated on widely embraced technical standards and implementation conventions, e.g., the IP stack as core enabler of the Internet, which indeed has immeasurable value. On the other hand, it also creates “computational monoculture,” which in essence means “one grenade get’s ‘em all” when it comes to nefarious exploits of cyber vulnerabilities.

    The first part of this strategy goal invokes high religion: “Optimize mission effectiveness through shared services.” The resurrection of “timesharing” of the 70’s/80’s and “remote computing services” of the 90’s has re-emerged under the moniker of “cloud computing,” proffered as something new and improved – it really is neither, but rather just a fresh coat of paint. While ‘cost efficiency’ is a key motivator behind organizational embrace of any of the several faces of cloud service, e.g., “Infrastructure as a Service,” there is also an undercurrent motivation toward off-loading responsibility for cybersecurity to the service provider. This is illusory: users of outsourced services must never lose sight that while one can outsource responsibility, one can never outsource accountability in the context of fiduciary due care.

    Finally, while I won’t dispute the concluding claim: “Bettering the efficacy of how information is acquired and shared is key here,” to my eyes the real challenges in this area are by and large not technical in nature, but rather it’s lawyer-to-lawyer stuff. Attending the legal entanglements created by ‘virtually virual virtuality’ (cloud smoke and mirrors), and computational monoculture (the down-side of interoperability) appears to me to be one of the higher hurdles to progress in improving information sharing. Aside from protecting market and intellectual property capital, contracting language in this area is by and large an exercise in “CYA,” and setting out from that frame of reference is not especially conducive to engendering the trust needed to effect truly relevant and significant information sharing – indeed, especially when necessary reaction times are slim. My sense is that these issues will not be adequately resolved for a good while. Until our business and legal operatives become a good bit more apprised and conversant in the technical underpinnings of this multi-headed beast, lofty strategy statements will not meaningfully reify attainment of said goals. Or so it seems to me…

    Note: The opinion expressed herein is strictly my own, and should not be construed as representative of position or perspective of my employer.

     

Comments are closed.