Source: eWEEK | Robert Lemos | October 2, 2016
In January, President Obama signed the Cybersecurity Act of 2015, but companies remain in a holding pattern, waiting for legal clarity and demonstrable benefits before sharing sensitive information.
Sharing information on cyber-threats has garnered a great deal of U.S. government support over the past 18 months.
In February 2015, President Obama signed Executive Order 13691, encouraging collaboration between private companies and with the government through organizations known as information sharing and analysis organizations, or ISAOs.
Nearly a year later, Congress passed a 2,009-page military spending bill that included among its provisions the Cybersecurity Act of 2015, a law that affords companies legal protections in exchange for sharing information with the government about cyber-attacks. This past summer, the Department of Homeland Security released guidelines for sharing details of attacks with the federal government.
Despite the government action, companies have been reticent to begin sharing data on the attacks hitting their networks. One report found that while nearly 140 organizations were connected to DHS’s Automated Indicator Sharing system, only one company was sharing any significant amount of information.
Nine months after the Cybersecurity Act became law, the complexity of information sharing and the natural human reluctance to reveal details about network and data breaches means that convincing organizations to share continues to be difficult, Chris Coleman, CEO of threat-intelligence firm LookingGlass, told eWEEK.
“I always question whether it’s in human nature to share this type of information,” he said. “For companies, the legal issues of a material breach … mean that there is not a lot of established policy in regards to sharing. So [many say] why take the risk?”
Yet defenders need to exchange information on cyber-threats. Such intelligence promises to aid companies in hardening their defenses against the most pervasive attacks and assigning staff and resources to the most pressing threats.
Yet, very few companies have started sharing information. Large companies are studying the legal issues, concerned that talking about attacks will bring lawsuits and legal jeopardy. Smaller firms generally just do not know where to begin, Greg White, executive director of the ISAO Standards Organization and a professor of computer science at University of Texas at San Antonio, toldeWEEK.
“Mostly our problem at this point is getting the word out,” he said, adding that “if you are one of those entities that sign up for a feed and you are getting thousands of indicators, many don’t know what to do with that.
“The Cybersecurity Act of 2015 should assuage fears of legal repercussions to limited sharing. The law, which had been discussed in Congress in various forms for nearly a decade, orders government agencies to share information about threats with companies and other groups, and mandates new processes and systems to disseminate information about threats from the private sector to government agencies.
Before the law, companies would only rarely voluntarily share breach information.
Moving away from that entrenched mindset will take some time, LookingGlass’s Coleman said.
“One of the biggest fears of collaboration with the government is that we had no legal protections,” he said. “When we ran those sharing information agreements by the lawyers, they would shiver.
“Yet the formation of like-minded organizations to share best practices, information on ongoing attacks, and—for more advanced groups—indicators of compromise (IOCs) holds promise. Those groups—called information sharing and analysis organizations, or ISAOs—help mitigate fears that information may be leaked and collect professionals together who have the same potential issues, according to the ISAO SO’s White.
“Everybody needs to be part of an ISAO,” he said. “That is our opinion.”
The Department of Homeland Security selected the University of Texas at San Antonio to create standards for forming such information sharing groups. Many already exist. Businesses that are in industries deemed to be critical are likely a member of an information sharing and analysis center, or ISAC, which are now considered one type of ISAO.
Smaller companies, however, often are not served by such organizations because they do not have the expertise to use the data. Yet ISAOs can share best practice information and help corporate networks collaborate with each other.
“We are still trying to feel our way in what [is] the best type of information to share,” said Bill Wright, director of government affairs and cyber-security partnerships at security firm Symantec. “And while it is important, there is no silver bullet here. We still need good cyber-hygiene, we still need good technology and we still need good training for end users.”
Yet challenges exist for such organizations. Many companies do not like participating in groups where only a few members share information and the vast majority consume the intelligence. These other organizations—often called “leeches”—just consume information. The Cyber Threat Alliance, of which Symantec is a member, requires that each member share 1,000 new attack samples every day in an attempt to resist this tendency.”
The challenge in intelligence is that it is just information unless I can give you something that you care about that impacts your business,” said Coleman. “So we have to make sure that we are delivering something that is relevant to your business. Otherwise, you are giving the customer the top layer of information and forcing them to determine what they care about.”
Yet while information sharing will not, in and of itself, make companies secure, it is an important step, said Symantec’s Wright.
“Cybersecurity has become a team sport, and we have to be sharing,” Wright said. “Government can’t go at it alone, and companies cannot go at it alone.”