Developing your own infrastructure protection solution
The era of governments protecting business and citizens from serious attacks, including from foreign adversaries, may have already passed – at least in the context of cybersecurity. That is, while it remains reasonable to expect government protect against physical attacks such as from bombs and missiles, as a general matter, today governments generally lack the authorities, capabilities, and resources to do something similar thing in cyber domain.
As a result, every organization must develop its own plan and associated solution for infrastructure protection and must leverage the external capabilities that a government might once have brought to bear. The good news is that this plan and solution can be constructed using existing enterprise security programs as a base. That is, the types of functional, procedural, and policy decisions made to stop enterprise-grade threats represent the correct underlying security base on which to build a foundational model for dealing with larger threats. The challenge, of course, is that truly taking on this mission will require taking the overall SOC and cyberdefense culture of sharing information and making that a rubric for the whole organization.
What attributes must be present for organizations to succeed in a cooperative?
Three attributes must be met by an organization before cyber risks to critical infrastructure can be properly addressed via a cooperative sharing group. These attributes line up directly with the belief structure of the key stakeholders and decision-makers in the information technology, infrastructure, and cybersecurity groups, as well as at the corporate leadership and board level. These are not attributes that can simply be imposed on an organization. Rather, they must be closely held by the relevant principals:
- Risk Acknowledgement – An organization must acknowledge the nature and scale of security risk to their infrastructure and to their overall corporate health. If the belief exists that vulnerabilities are minor and that infrastructure cannot be seriously degraded via cyberthreats, or that such efforts won’t materially affect the corporate bottom-line, then participation in a cooperative group won’t likely be successful. Organizations must be willing to acknowledge the presence of significant risk that needs to be mitigated aggressively before joining any collective sharing group.
- Willingness to Share – An individual organization considering joining a collective defense group must also recognize and be willing to participate in the bidirectional nature of information sharing. That is, joining a cooperative cannot be done solely to collect data from others. Rather, just like in any trusting relationship, it must include an open willingness to share information with other members of the group. Anonymous, non-attributed sharing mechanisms can be helpful, but willingness to share (and to share broadly) is essential.
- Desire to Mitigate – The purpose of any cooperative sharing group is to provide a rich source of information, from which actionable intelligence can be derived. Involvement in the group should therefore be predicated on the desire to actually mitigate cybersecurity risk, rather than to simply meet some compliance obligation.
These three conditions must be met honestly by each individual organization participating a collective defense system, and are listed here to help make the collective involvement successful. Any organization that doesn’t fully accept the presence of cyber risk, doesn’t plan on sharing relevant information with others, and has no intention to use the shared data as the basis for real security mitigation and response, are probably best advised to invest their time and efforts into other types of security approaches.
It is worth mentioning that some organizations join information sharing groups to collect information relevant to executive and board presentations. Board members, in particular, like to be provided context around cyberthreats, including malicious actor attribution, so sharing often helps to obtain this information across a given industry or across multiple sectors. So long as the ultimate purpose in educating board members is to improve the overall security posture of the organization, this motivation for joining a collective seems acceptable.
What are the parameters for establishing trust in a cooperative?
The concept of trust between participants in any cyber cooperative is influenced by a couple of factors. First, there is the business or government sector between participants. It is not a stretch to assume that participants in a common sector may tend to be more trusting of information being ingested, simply because the vantage point will be similar. Two banks, for example, will tend to trust their relative interpretations of some vulnerability and its consequence.
Second, the relative size and expertise of sharing participants will influence mutual trust. A general rule is that most organizations will tend to trust information from larger or peer groups, but will be more tentative about information coming from smaller participants or non-peers. Size of an organization and trust in the value of the information being is not a perfectly correlated, because a large bank might trust information coming from a small, but expert advisory group. In general, however, peer or larger organizations tend to be assigned more confidence in the information being shared.
These two factors – sector and size – can be merged into a so-called measure of peer correlation that can be useful in analyzing the potential effectiveness of a given cooperative. By creating a simple grid on these two factors, we can depict the degree to which participants will tend to view the level of correlation for information being shared generally. Two large banks, for example, might find some shared data highly correlative, whereas a small retail shop might find the same data less applicable.
It is worth noting that competitive forces will clearly influence the willingness of a given organization to share information with a cooperative group. While it is true that many industries tend to not differentiate based on relative security capability, there are some industries where this is less accurate. Cooperatives that include entities competing on cyber-related capability will have to work harder to maintain mutual trust; as a result, sharing both within sector and across multiple sectors, is key.
Third, the interdependency of organizations will influence trust. Few organizations today are vertically and horizontally integrated. Rather many organizations rely on an interdependent web of organizations to build, distribute, or deliver their solutions or capabilities. Sectors such as banking, today rely on the energy sector to ensure a ready source of power and the telecommunication sector to interact with other banks and their customers. Other sectors, such as aerospace, rely on complex supply chains of hundreds of component makers to bring their products to market. Finding groups of interconnected organizations can help identify entities that are likely to be willing to work collaboratively given their existing economic alignments.
Are there any legal or privacy issues associated with joining a trusted sharing group?
Joining an information sharing group will introduce a myriad of management questions from the legal and privacy teams in any organization, especially in larger organizations with significant regulatory overlays and potential attack consequence. These questions are best addressed well before the decision has been made to join a sharing group, so as to avoid the costs of unraveling entry. The biggest issues that tend to require consideration when joining any cybersecurity cooperative are the following:
- Protecting Information – By sharing information with a cooperative, the organization introduces the possibility, however potentially small, that sensitive data could be mishandled and leaked. To deal with this issue, cooperatives must include mechanisms for protecting data both in storage and at rest, including the robust use of strong encryption.
- Working with Competitors – If a cooperative includes competitors, even given the provisions of CISA in the United States that squarely address these issues, legal teams will likely want agreement on the basic procedures for sharing, especially regulated industries.
- Avoiding Unexpected Risk – In general, enterprise legal, privacy, and security teams will be averse to any unexpected risk that might emerge as a result of joining a sharing cooperative. This requires that cooperative cyber sharing groups include solid documentation of expectations for participants. New risks can always emerge, but surprise should be minimized.
The best way to handle these legal and privacy issues is to directly involve staff from these organizations into the decision-making process around joining or establishing a group. Many excellent commercial vendors can provide excellent advice to companies considering use of an information sharing cooperative, and can help legal, policy, and privacy staff become more knowledgeable and comfortable around what to expect.
The purpose of this report has been to make the case for cooperative cybersecurity protection for large-scale infrastructure. The strongly-held belief of the authors should be obvious from the discussion that organizations should willingly, aggressively, and openly share in cases where mutual benefit can be obtained. To this end, it becomes the obligation of all participants in the security ecosystem – business, government, and vendors – to support this objective.
As should also be obvious from the discussion, trust is the adhesive that holds information sharing and meaningful collectives together. Establishment of trust between organizations is simple when all political, philosophical, business, societal, and even military objectives align closely. It is more difficult, however, when one or more of these objectives do not align. In these cases, more effort is required to establish trusted agreements toward a working collective.
It is the sincere hope of the authors that the goals of protecting critical infrastructure should be of paramount importance, especially where cyber attacks could product negative consequences to the safety and even life of individuals and groups. The material we have shared here represents our modest contribution to achieving this goal, and we hope that readers will take our recommendations into account as they build, operate, and maintain infrastructure.