14 July 2017

On Information Sharing: Once More, With Feeling


I hope this post is the last thing I ever write about information sharing. But let’s face it, we have been talking about information sharing for at least twenty years and we will probably be talking about it for twenty more.

That is because information sharing is actually as important as all the fuss about it would suggest. In cyberspace, it is commonly accepted that the attacker has the advantage. In a simple phishing example, an attacker can use the same attack infrastructure (same email address, same message, same payload, same hosting infrastructure) against multiple targets.

Many targets may ignore the email. Others may recognize that it is malicious. But some will inevitably click on it. When they do, one of two things is likely to happen: either a) their network gets owned; or b) the attack is detected by their security team and stopped. For the attacker, option a) is great but option b) is typically no big deal. After all, the attacker still has many other targets who did not recognize and stop the attack.

Here is where information sharing comes in. If one of the companies that detected and stopped the attack shares information that other companies can use to detect and stop the attack, the attacker’s advantage is all but erased. Gone is the possibility of re-using attack infrastructure against many targets. Now, the attacker needs to craft every campaign to be unique so that no part of it can be uncovered through a shared indicator.

Sharing information rigorously and in real time would give companies the equivalent of herd immunity. The problem, and the reason we are still talking about information sharing twenty years later, is that we lack an immune system in cyberspace—there is no secure and trusted way to communicate this critical information.

That’s why the Intelligence and National Security Alliance (INSA) published a white paper entitled “FINnet: A Proposal to Enhance the Financial Sector’s Participation in Classified Cyber Threat Information Sharing” last month. The paper advocates creating a classified network for the financial sector modeled on the highly effective DIBnet program run by the Department of Defense for defense contractors.

DIBnet's creators originally thought that its value would stem from its ability to share classified information with the private sector, but its real value has been the collaboration among participants. With secure devices and cleared users (not to mention legal penalties for misuse), DIBnet allowed defense contractors to work together to identify and respond to threats.

It also extended to defense contractors one of the primary benefits gained by having a separate and secure network for cybersecurity.

In my time in government, I learned one basic rule from the Defense Department that the rest of the world needs to adopt: don’t use a compromised system to share information about the compromise. In the .mil world (and increasingly for .gov), an incident on an unclassified system is managed on a classified system. Using the same network that the attacker has compromised makes incident response all but impossible.

Yet, that is of course, how almost every organization on the planet manages an incident.

In the INSA paper, we propose (I was a member of the task force that developed it) that the Secretary of Homeland Security use authorities granted to that position in the Cyber Information Sharing Act CISA and in Executive Order 13691 to establish the network. In doing so, the Secretary needs to use his authority to establish requirements for granting facility clearances that make sense for global financial incidents not defense companies.

We recommend that the effort be piloted by financial firms that are designated as critical infrastructure under Executive Order 13636 (we use the Globally Systemically Important Banks as an unclassified stand-in). Doing so would be the first tangible benefit that the government has provided to these organizations since designating them as such.

Critics will argue that the solution is not to extend connectivity but to declassify more information. They will argue that the costs will be too high and the benefits will be too low. They don’t know what they are talking about. The example of the DIBnet shows the value of having a classified network for cybersecurity extended to the private sector. We have tried every other approach and we have an example of a program that has worked for over a decade. It’s time to stop talking about information sharing and actually to start doing it.

No comments: