At a web conference meeting with IT security professionals in early December, IT advisory services firm Wisegate polled the small group about how comfortable they were with sharing cyberthreat information with industry peers and with government agencies.
When “sharing” included giving information to the government, about half of the group thought it was a bad idea. But when 'government' was taken out of the sharing equation, some 80 percent of respondents were at least 'somewhat comfortable' with sharing their knowledge.
Their mixed feelings about collaborating on security issues are common. Almost two years after President Obama's executive order on cybersecurity, a document that has shaped the cyber policy landscape, and one year after he signed an executive action aimed at increasing private sector information sharing on cyberthreats, questions remain regarding whether we can truly make collaborative security work.
Most recently, the Cybersecurity Information Sharing Act, a bill designed to shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another to fight cybercrime, was added to a consolidated spending bill in the U.S. House on Dec. 15. Some view it as a surveillance bill in disguise or think that it will complicate relations with foreign assets that forbid passing data to third parties.
U.S. businesses often have technical clues that could help thwart or limit the damage from a cyber attack – whether it's a nation-state sponsored act of aggression or a criminal hack – but they’re often reluctant to share what they know, fearing possible legal liability.
On the flipside, the government often has information on looming cybersecurity threats, but struggles to quickly push it out to the private sector amid legal and national security constraints.
Luckily, many industries and organizations have been collecting and disseminating threat information among themselves for years – some through industry groups, others by peer group crowdsourcing, and others through vendors that sell the information. Most of these organizations agree that information sharing is working, but there are still many challenges.
Financial services lead the way
Financial Services Information Sharing and Analysis Center, one of the oldest and largest ISACs, is a private, non-profit group with 6,700 member organizations worldwide.
“We have [government] partners that might share intelligence with us, but we’re not as much about providing information back to the government. That’s not what we do,” says Andrew Hoerner, an FS-ISAC spokesperson, adding that it took time to build relationships and trust among its members.
While he can’t talk about specific attacks that were thwarted because of information sharing, Hoerner could point to instances where one large bank will share information about an imminent cyberattack with another bank. If that bank has seen that same threat, they work together on a patch. If a bank’s competitors haven’t seen a similar attack, then they know they’re experiencing a targeted attack specific to their environment and have to react differently, Hoerner says.
Sign up for CIO Asia eNewsletters.