In the early days of the Obama administration, the president declared cyberspace a critical asset. Since then, little more than lip service has been paid on a policy level to the security of the country’s critical infrastructure, despite increasing public awareness of the problem and high-profile attacks on business and government alike.
Congress this summer had two cracks at passing some sort of legislation that would address critical infrastructure security and more, and both times the bill failed to pass the legislature. We now breathlessly await an Executive Order from the president that will likely lay the groundwork for more proposed legislation once Congress returns to session next year.
In the meantime, some work has moved the issue forward. Presidential Policy Directive 20 appeared in October, a secret directive that essentially laid some offensive and defensive ground rules in place for the U.S. military in case of a cyberattack on the country.
Yesterday, there was more movement. The White House released the National Strategy for Information Sharing and Safeguarding which is a framework for government agencies to share attack data to repel terrorist threats, cyberattacks and more.
Information sharing in information security circles has almost become a laughable cliché. Aside from the Financial Services ISAC and a couple of other regionalized efforts, very little formalized organized sharing of data goes on. Most of it is ad hoc, between peers, college buddies and trusted experts. Most companies fear competitive and/or legal repercussions if the wrong kind of data is shared. Most complain about the lack of a mechanism that would sanitize and anonymize data on attacks and defensive best practices that could be shared across industries.
“Attackers have better sharing networks than we do,” RSA Security president Tom Heiser said during a recent security event in Boston. “The complexity of privacy laws we must follow and the legal liabilities in front of us are tying our hands. We have to find a way to increase sharing and visibility of networks while still protecting the privacy of our citizens.”
Small collaborative forums are trying to nudge vertical and horizontal information sharing along. It’s a necessity because on the enterprise side, boards of directors are asking good questions about threats to data and the bottom line. Security and IT managers better have answers and better understand risk, and speak to directors in those terms.
Any repository of threat and risk intelligence would be welcomed with open arms by executives inside organizations. One company’s contained threat could be a massive risk to someone else. How invaluable would it be to have a mechanism to host that data that is accessible and actionable by someone else?
The president’s new strategy said as much: “Our national security depends on our ability to share the right information, with the right people, at the right time. This information sharing mandate requires sustained and responsible collaboration between Federal, state, local, tribal, territorial, private sector, and foreign partners. Over the last few years, we have successfully streamlined policies and processes, overcome cultural barriers, and better integrated information systems to enable information sharing. Today’s dynamic operating environment, however, challenges us to continue improving information sharing and safeguarding processes and capabilities,” the report said.
The strategy stresses that information must be treated as a national asset and such data must be made available to support national security, it states. It also urges agencies to work together to identify and reduce risks, rather than not share at all. Information, the document states, must underlie all decisions.
The president hopes the strategy achieves five goals:
- Drive collective action through collaboration and accountability: Using models to build trust and simplify the processes for sharing
- Improve information discovery and access through common standards: Doing so paves the way for less ambiguous policies. To achieve this, secure access via authentication and authorization controls, data classification and sharing standards is vital.
- Optimize mission effectiveness through shared services and interoperability: Bettering the efficacy of how information is acquired and shared is key here.
- Strengthen information safeguarding through structural reform, policy and technical solutions: This calls for controls on data, monitoring for insider and external attacks to better stave off threats to systems and information.
- Protect privacy, civil rights and civil liberties through consistency and compliance: Public trust must be a key consideration here, the document stresses. Privacy and civil protections must be built into any sharing mechanism.
Information and attack intelligence will serve any organization better than the latest, shiniest security technology. Enterprises and government agencies are constantly being told that situational awareness is required to fend off advanced threats from China, Russian cybercriminals and hacktivists. All well and good, but if we expect companies and agencies to deploy some sort of continuous monitoring, information and intelligence has to be at the backbone of those efforts. Otherwise, like the two shots Congress had at passing cybersecurity legislation, that will fail too.