On Friday at the White House Summit on Cybersecurity and Consumer Protection, President Barack Obama signed an Information Sharing Executive Order to promote cybersecurity information sharing in the private sector.
I believe information sharing is the key to cutting down on the number of data breaches. For years, researchers have used back channels to share information, and this sharing only occurs after scrubbing the data, so as not to reveal the victims’ true identities.
One of the recurring mentions at the Cyber Summit was the constant need for a Security Operations Center to remediate threats and distribute information with other entities. To make this happen, we need to eliminate political and social barriers in order to allow researchers and security operations teams to efficiently share information in real-time, thus limiting the exposure that a certain attack vector may have on targeted industries.
Kenneth Chenault, CEO of American Express, mentioned that laws need to be changed to allow companies to effectively notify customers of potential threats and data breaches. He had mentioned that a certain law from the 1990s limits the amount of people that can be notified about a potential threat to only about 10% of their customer base. He said, “We source over 100,000 attack indicators yearly from various sources, but only 5% come from industry sharing through our ISAC and less than 1% come from the government.” The remainder of the indicators come from private sharing and analysis of their own data.
It was mentioned that the “information super highway” should be treated like a regular highway, where driver’s licenses are issued and law enforcement monitors and enforces the rules. I don’t think we need to go to that level and manage the “information super highway.” This will stifle the creativity and freedoms upon which the Internet was built. We need to rely on intelligence gathering and sharing to make sure that threats are tracked and risks are mitigated.
Although the Information Sharing Executive Order has been signed, it will be interesting to see how it is implemented. If we truly want to have a united front in terms of protection of national and regional businesses and governments, the government will have to share the stockpiles of Zero Day vulnerabilities that it has access to. If the government shared that type of information, then manufacturers and software vendors would be able to proactively patch vulnerabilities that they were previously unaware of.
These proactive actions would protect companies because we use all the same software and equipment in the transport of data across the world. If there are limited vulnerabilities, then there will also be limited attack vectors. A limited number attack vectors makes the tracking of malicious actors easier and we can more efficiently use our security resources to protect our environments.
The information sharing process will have to start with a common framework. Most companies that are sharing information are using either the NIST or Microsoft’s information sharing framework. Having a common framework will allow us to share information across multiple platforms through a common language. Researchers have been struggling to build infrastructure and maintain lists of validated individuals to share data with. If they had the support of all the companies represented at the Cyber Summit, then we would have more efficient portals and infrastructure to support information sharing beyond what takes place today.