Cybersecurity Information Sharing a Tool for Situational Awareness
Knowing the cybersecurity threat might be half the battle toward mitigating problems, but the popular push and mounting trend toward increased information sharing, particularly between industry and the federal government, is not the be all and end all, according to one security expert.
Too much focus, both by the government and industry, on paving a way for information sharing alone misses the key fact that the tactic should not be the endgame, but a tool to getting better situational awareness to make informed cyberthreat decisions, Bob Dix, vice president of global government affairs and public policy at Juniper Networks, said Tuesday at the Homeland Security Conference in Washington, D.C. "As a nation and global community, we need to change the equations by making it more difficult and more costly for the bad guys."
Contrary to the rhetoric surrounding the cybersecurity discourse that puts much of the vulnerability blame on commercial businesses, the problem is not in the private sector alone, Dix shared. Both the executive and legislative sides of government need to make good on promises to involve industry by actually involving industry in cybersecurity discussions, rather than drafting legislation without industry input, he added.
Recently, the White House launched a legislative proposal to promote better cybersecurity information sharing between the private sector and the government and among themselves, while encouraging the private sector to share appropriate cyberthreat information with the Department of Homeland Security’s (DHS's) National Cybersecurity and Communications Integration Center (NCCIC).
The government does have a role in helping private companies find solutions to mitigate cybersecurity threats, but that role should be limited and focused, cautioned Rich Struse, chief advanced technology officer for the DHS NCCIC. For example, the department relies on its Einstein automated intrusion detection system, a continuous monitoring program to help protect all .gov domains from malicious cyber activities. “We don’t do that for the private sector, and we don’t want to and you don’t want us to,” Struse told attendees.
Panelist Charlie Benway, executive director of the Advanced Cyber Security Center, embraced the information sharing concept. “Cybersecurity is a team sport,” he said. “There is no silver bullet and no one enterprise or sector has the one answer.”
The push toward easing hurdles that stymie information sharing between companies can only help, advised Carlos Kizzee, vice president for multi-sector initiatives for The Center for Internet Security. “Collectively we can do better than independently.”
The issue of trust, or rather the lack thereof, wove in and out of the panel’s discussion. Businesses often do not trust one another, much less the government, with shared information. But gone are the days in which people can rely on building trust via face-to-face interactions. “We moved to organization-to-organization [trust building] and now, we’re poised on the edge of a world where it will have to be machine-to-machine sharing,” where users do not know who exactly is on the other end but must trust regardless, Struse said.
Face-to-face trust building is not scalable and “can’t be the way forward,” echoed Benway, adding that trust in this arena is a double-edged sword: government and industry see the need but no one trusts the other.
Finally, while the federal government years ago launched a national campaign to educate the population on safe cyberpractices, the campaign is not well publicized and the lessons do not seem to have resonated. Eighty percent, for example, of exploited cybersecurity vulnerabilities are the direct result of poor or no cyberhygiene, experts shared during one of the seven paneled discussions presented during the conference.