Sharing is caring, but it’s also a tricky business.


Last week, Facebook announced that over 90 companies are sharing cybersecurity information with each other through its systems. They’re collaborating via ThreatExchange, the API-accessible community that it launched for that purpose back in February. US government agencies are specifically not invited, though. This shows just how difficult it is to encourage a culture of information sharing between all interested parties, including those in the public sector.

Sharing information is a useful way to protect the herd, argues William Peteroy, founder of security consulting firm Icebrg, who spoke about network asymmetry at SecTor last year. “It’s one of the most powerful tools out there,” he said, but adds that for the most part, it happens in an informal way, without much automation.

A short and long-term vision

In an ideal scenario, what kinds of information can be shared? Peteroy divides it into short- and long-term components. He takes information detection systems, which often operate in real time, as an example of short-term data.

“We have to combine those with other technologies that give us a longer term view from a user and host perspective,” he said. “Those things, when combined and automated with this information sharing network, would become extremely powerful.”

Cybersecurity metrics fit nicely into that longer-term slot. “Metrics create even more value when they’re shared,” argues Jessica Ireland, research manager for security and risk at Info-Tech Research, who will be discussing strategies for cybersecurity metrics this October.

Companies can combine metrics to look for trends, identifying similarities in their data that may help them to spot emerging attack behaviours and ward off potential threats, she explained.

“On the other side, understanding effective operations (reducing the amount of time to respond to a security incident, for example) can simply help organisations save money,” she said. “Sharing can be a win-win if it’s done right.”

The US Government wants in

The White House is eager to get in on the action, encouraging information sharing partnerships between the public and the private sector. President Obama has called for legislation on this for some time, signing an executive order in February explicitly calling for such measures. He advocated for the creation of information sharing and analysis organizations (ISAOs) that would be hubs for information sharing.

Non-profits, industry associations or single companies could all fulfil this role, the Order suggested. The US already has sector-specific Information Sharing and Analytics Centers (ISACS), and these could be instrumental, it added.

There have been several attempts at legislation to encourage information sharing south of the border. Senator Dianne Feinstein introduced the Cybersecurity Information Sharing Act of 2014 in July last year, but it hasn’t progressed through Congress. Just this month, a vote on the bill was postponed until September, amid concerns over the handling of privacy in the legislation.

Privacy worries

The worry is that organisations might be worried about divulging too much information on attacks. Not only might it give away key secrets to competitors in an inter-company situation, but it might also lead to potential lawsuits from customers, or from regulators.

In his executive order, Obama called for “strong protections for privacy and civil liberties” among private sector organizations, and agencies, when dealing with company cybersecurity information.

More recently, Senator Tom Carper (D-Del) pushed introduced the Cyber Threat Sharing Act. In April, a bipartisan bill, the Protecting Cyber Networks Act, also encouraged voluntary information sharing between companies, and with government agencies, with a focus on protecting privacy. This bill specifically prohibits NSA or DoD involvement in such information sharing. There are other bills, too, and the Congressional Research Service has analysed them all in a report.

Inter-company competition may also be a worry for companies in the same sector as each other. Robert Hansen, the VP of WhiteHat Labs at WhiteHat Security, uses nature to describe co-operation between defenders in the cybersecurity battle, drawing a correlation between prairie dogs and predators like hawks or coyotes.

“Normally during the day, the prairie dog won’t help adversarial prey animals like squirrels and rabbits and will actively eject them from their holes. However, when a hawk or coyote come around, they alert everyone nearby and allow any animals who can fit into their holes,” he said.  “This evolution makes sense, because it helps to starve the predators who will either die or move on to other areas.”

This analogy falls down in the hacking world, though, because a single adversary can attack all endpoints at virtually the same time, he warned. “And the slow moving prey don’t actually die most of the time, which slows down evolutionary changes.”

Such challenges notwithstanding, there is an appetite for such information sharing. The level of interest in ThreatExchange speaks volumes. A collection of CIOs has also formed the CIO Coalition for Open Security (also known as the CIO Coalition on Cyber Security). It has a manifesto for cross-industry collaboration.

In Canada, we seem far behind this curve. There is very little formal inter-company information sharing, and little structured co-operation with government, it seems, although Public Safety Canada is at least encouraging some private sector engagement in co-operation with the US DHS. Kevvie Fowler, a partner in KPMG Canada’s risk consulting service, and Bell Canada’s security head Vivek Khindria both called for more at a summit in June.

The appetite is there, but questions remain. Who will take the initiative? How much should government be involved? And how can we build an effective information sharing culture that balances risk and reward?

To discuss current security issues, register at SecTor, which takes place at Metro Toronto Convention Centre in downtown Toronto on October 20-21, with a training day on October 19.