By Lennart Maschmeyer
Millions are now working from home with unfamiliar software, providing massive opportunities for malicious actors. In response, volunteers from the information security sector have formed collaborative initiatives to disseminate urgently needed information to the public. This post examines how the current crisis conditions enabled the formation of the COVID-19 Cyber Threat Coalition (CTC), the largest of these initiatives, based on an interview with the founder. It also identifies an opportunity to institutionalize a similar, need-based threat information platform through government action.
The Problem: Information on Cyber Threats is Scarce and Unevenly Distributed
Since the start of the crisis, over three billion people have experienced life under lockdown conditions and hundreds of millions have switched to working from home, having to adapt to unfamiliar software and services for remote work. Such services have not always been designed with sufficient security and have become immensely attractive targets. Providers are also scrambling to manage the explosion in user numbers. All of these conditions, combined with the elevated stress and anxiety created by the crisis experience, are producing increased vulnerabilities nefarious actors can exploit. Accordingly, there are widespread reports of an increase in malicious activity, including targeted efforts to exploit prevailing fears. Depressingly, some malicious actors have even continued to target critical health infrastructure in pandemic-stricken countries.
Hence, accurate information on cyber threats is urgently needed, especially by critical infrastructure providers. The main sources of such information are information security vendors. These firms sell two main products: network protection services and customized threat reports. In addition, they publish free reporting on unique and interesting cyber threats as a marketing instrument to attract further business. These free reports are currently the main source of public knowledge on threats, providing a benefit to the entire cybersecurity community. However, firms need to make a profit and hence they focus on threats promising the most revenue. Moreover, threat data may contain private information belonging to customers of these vendors that is subject to confidentiality agreements, something that can result in relevant information not being provided in public reports or prevent publication altogether. The result is a classic market failure, a collective action problem that prevents information reaching some of those who need it most. The current crisis has made the negative consequences of this more apparent.
The Crisis-time Solution: Spontaneous Collaboration bridging Organizational Divides
In response, information security professionals have set up volunteer initiatives to pool skills, compiling threat reports and offering assistance to targeted organizations free of charge. There are currently four main initiatives: the COVID-19 CTI League, which focuses on health care providers; the Cyber Volunteers CV19, who also prioritize health care providers; the Covid-19 MISP Information Sharing community, which deals with open-source sharing of technical indicators; and COVID-19 CTC, which combines data sharing and dissemination of both technical indicator and threat intelligence sharing. This post focuses on COVID-19 CTC because it aims to alleviate the core problem identified above: the scarcity and unequal distribution of information.
COVID-19 CTC offers two resources: A database of technical ‘indicators of compromise’ and a weekly threat report that is accessible to a general audience. The proprietary data that participating vendors contribute to the effort is, of course, still generated based on their profit interests. The products, however, are not. Through the initiative, more than 2,500 experts from leading firms as well as governments collaborate to offer up-to-date information on threats, something which benefits the global community according to perceived need rather than profit interests.
Cooperation Challenges and Solutions at COVID-19 CTC
How was this cooperation possible? I interviewed COVID-19 CTC’s founder Joshua Saxe, Chief Scientist at Sophos, to find out. According to Saxe, the main challenges to such an effort are the self-interests of individual vendors that prevent cooperation and the sensitive nature of data that complicate sharing, because “cyber-attack artifacts are needles in haystacks of benign and often private data”. To overcome them, COVID-19 CTC has successfully created processes for voluntary data-sharing where members “share only what they’re comfortable with” while vetting mechanisms “provide reasonable assurance that what we re-share with the public are examples of truly malicious artifacts”. This key contribution is worth preserving because the centralized threat information it enables provides benefits to the entire cybersecurity community—and by extension, every user of the Internet. Therefore, it is important to examine the conditions that made this effort possible, four of which stand out.
First, an extraordinary sense of motivation and shared responsibility to act in the face of a crisis. Saxe explains how a “personal sense of alarm” and a desire to “gain a sense of influence over large-scale impersonal biological and economic forces” motivated him and his collaborators to spring to action.
Second, a temporary suspension of business competition. Saxe conceives of COVID-19 CTC as a “crisis commons model” where “parochial interests set aside traditional competition and grievance in a moment of exceptional need”—reflecting a clear awareness of the collective action problem that has thus far prevented similar efforts.
Third, firms have been willing to donate critical infrastructure and resources. According to Saxe, COVID-19 CTC can only operate thanks to “tens of thousands of dollars in donated software licenses and commercial threat feeds”.
Fourth, COVID-19 CTC’s members have donated their own time. Saxe highlights that all members continue to work in their day jobs, contributing to the initiative in their free time. Despite his idealistic motivation, Saxe thus does not expect the initiative to persist beyond the crisis, instead foreseeing a return to ‘normal’ where “talent, information, and capabilities are unnecessarily separated between competing firms and agencies”.
The extent of this spontaneous cooperation is surprising because firms have not only suspended the fierce competition that normally shapes the sector but also actively contributed resources to this effort. Clearly, these measures can only be sustained temporarily, but there is a way to institutionalize them.
Institutionalizing Need-Based Threat Reporting Requires Government Action
The implementation of data-sharing and dissemination practices by COVID-19 CTC was only possible due to extraordinary conditions. However, the initiative shows a path towards institutionalizing the provision of threat information based on need beyond the crisis. The initiative shows that it is possible to create processes for sharing data across firms without undermining their business or revealing their customers’ sensitive data. Moreover, the processes implemented by COVID-19 CTC are already accepted by the industry, which is widely represented in the initiative.
When the crisis passes and competition resumes, the donated labor and resources will dry up. Yet with government support, the processes and products this initiative has established could be institutionalized and an academic research center offers the best promise of success. As my colleagues Florian Egloff and Andreas Wenger have previously argued, an academic institution is the best available model because adherence to standards of peer review, transparency and independence will ensure legitimacy and trust in findings. The Citizen Lab at the University of Toronto has already demonstrated that it is possible to conduct independent, needs-based research on cyber threats that is widely respected among the cybersecurity community. While the Citizen Lab focuses on threats to civil society, the proposed institution would focus on threats to other key areas of key public need—such as critical health infrastructure.
Such an institution will require funding to acquire necessary hardware and software licenses as well as to attract skilled labor. However, an adherence to academic standards of research will ensure the cybersecurity community will perceive the institution’s findings as useful and trustworthy, even if some of this funding comes from government sources. The main condition for success is that funding must come with minimal strings attached and a transparent relationship that prevents the politicization of the institution. Importantly, the industry demonstrated a willingness to share data before the crisis, as shown by the Cyber Threat Alliance (CTA). A university-based institution has the best prospects of overcoming the significant remaining challenges towards implementing such sharing in practice, ones which the CTA’s President, Michael Daniel, has just highlighted again.
Crises disrupt established systems and institutions, causing suffering and despair. Yet they also offer opportunities to create new and better institutions. As Robert Keohane and Joseph Nye remind us, crises facilitate the formation of new institutions because they “shatter complacency about the absence of regimes”—but only if policy-makers are aware of, and have thought through, the underlying issues preventing cooperation. It is in line with this that the current crisis offers an opportunity for lasting change.
The Center for Security Studies (CSS) is investigating the medium and long-term consequences of the corona crisis through two research projects. One project focuses on national and international crisis management. The other addresses the effects of the crisis on international relations and national and international security policy. To find out more, see the CSS special theme page on corona.
No comments:
Post a Comment