Threat Management

Cyber Threat Alliance’s Michael Daniel: For threat sharing to work, fewer organizations should do it

In countering ransomware, “the government has options, but none of them are easy or fast,” said Michael Daniel, former White House cybersecurity coordinator and current president and CEO of the Cyber Threat Alliance.

There are few processes in cybersecurity that have a wider gap between their perceived and actual value than information sharing. Despite a clear hunger in industry and government for greater sharing around cyber threats, many major information sharing initiatives fail.

Michael Daniel, former cyber coordinator under the Obama administration and now president and CEO of the non-profit Cyber Threat Alliance, thinks he knows why.

While speaking at the RSA Conference, Daniel suggested that most failures in information sharing can be traced back to three core, faulty assumptions: that cyber threat intelligence (CTI) is purely about passing along technical data, that all organizations should be sharing data and that such intelligence is often easy to share and use.

Click here for more coverage of the 2021 RSA Conference.

While technical data such as indicators of compromise are useful, there are reams of non-technical intelligence that often doesn’t require a computer science background to understand and act on. For example, simply communicating that a particular device or piece of software has a vulnerability can be a valuable form of non-technical threat intelligence.

“Sure, there’s technical information that goes underneath that, but that a patch is needed is not technical but clearly relevant” to many businesses, Daniel said.

In fact, Daniel identified at least 11 distinct types of threat intelligence across four categories, that range from technical (hashes, IP addresses and binaries) to the tactical (warning that an APT group is exploiting a vulnerability in a commonly used device or system) to the operational (attribution) and strategic.

While viewing intel sharing in this way can introduce more complexity into operations, many of the categories don’t require high levels of IT sophistication to grasp, all are used to accurately assess risk posture. It can also help communication of cyber risks in a way that is more easily understood by executive decision makers. They may not know what to do with a binary hash, for example, but they can comprehend how a Chinese APT targeting their sector and tools can translate to budget and operational problems.

The second assumption is that the more organizations that share information, the better. The idea “that everyone should be participating in efforts to move that kind of data around the ecosystem” is false, Daniels said, for the very simple reason that most organizations are terrible at it.

“We keep asking non-security organizations to share highly technical CTI and then wonder why they fail at it,” said Daniels. “We need to think differently about why an organization might share CTI, why they might consume it and what they would get out of those activities.”

The reality is that most organizations in the public and private sector are already drowning in information and not equipped to consume or share threat intelligence, at least not well. Instead of encouraging everyone to share everything and creating a bigger haystick to lose sight of the needle, organizations should really only be focused on sharing or consuming the fraction of the threat information ecosystem that are relevant to their business needs.

Daniels posited that the opposite is likely true: the less organizations share (and the more targeted that sharing is), the more high-quality and useful that information will be to the broader community that needs it.

“Frankly, most CTI types are irrelevant for most types of organizations,” said Daniels. “They aren’t going to be able to use it, it’s not clear how it relates to any of their business systems. The fact is most organizations only need to make very few cybersecurity decisions, and they’re certainly not making them every second or even every day in many instances.”

The third and final bad assumption on the part of many organizations is that, because other forms of information flow so quickly and smoothly over the internet, information sharing around cyber threats should be easy. But the decaying bones of many past information sharing efforts and initiatives undercut that notion.

A theme running throughout all these failed initiatives is that, because of problems stemming from the first two assumptions, they tended to be populated with low-quality data and uneven effort across different companies and industries. Daniels said the fact that his nonprofit organization exists in the first place is evidence that it is harder than many imagine.

High quality information sharing requires money, time and attention, but it’s really a larger sense of trust that the initiative will yield value over time that justifies the other three investments. It’s why Daniels believes fewer organizations sharing can improve the clarity and utility of that information and push the companies that do share to step up their games.

“Time means someone has to spend part of their day working on it,” said Daniels. “You can’t treat it like an occasional side project or you will get results that look like it’s an occasional side project.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.