As I was recently preparing with my fellow panelists for a roundtable discussion at a CIO conference. I suggested we cover the increasing participation in public-private security and intelligence data sharing as a means to assist CIOs in staving off the cyber threats that face them today. Another panelist, a longtime advocate of public-private intelligence sharing, commented that we have been broadcasting this message for more than 15 years and that people are burnt out hearing it.
From one perspective, he's right. We've been working hard to convince government agencies and other companies that there's strength in sharing attack vectors and non-attributed threat intelligence. Within the finance sector, the Financial Services Information Sharing and Analysis Center (FS-ISAC) has done yeoman's work in bringing together a large number of financial institutions and government agencies to share intelligence that they have gleaned from their operations or research efforts. But, as I talk with the CISOs and CSOs in other critical infrastructure sectors, I find this same spirit of cooperation isn't as prevalent as it is in the financial sector.
Does President Obama's executive order signed on February 12, 2013 move the ball forward?
“Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security or national security.”
For those of us who have been pursuing an effective public-private threat sharing mechanism, there's hope that maybe this time a program will be developed that effectively accomplishes this task. Since May 1998 when President Clinton took the first major step in defining an information sharing program within the critical infrastructures, the public sector has been discussing how to make this happen. We have taken some small steps in 15 years, but what are we proposing differently today?
My first thought was, “Shouldn't we have figured this out over the past 15 years?” But I realized it hasn't been so much a problem of identifying the components of the critical infrastructure, but rather building comprehensive engagements of government agencies and private enterprises. While there may have been a theoretical capability to “share” threat information, the practical aspects of being able to do so have been limited by restrictions on law enforcement, as well as intelligence in providing threat indicators to potentially impacted organizations. An additional limiting factor has been the reluctance on behalf of many companies to share data because of brand and reputational implications, as well as potential legal and privacy concerns. We are light years ahead of where we were in 1998, but still light years away from where we need to be.
Two elements of the program don't necessarily promote success in what may emerge. Something that looks, smells, and tastes like potential government regulation, and is voluntary, will not see a large uptick in commitment measured from where we are today. Likewise, the NIST churning cycles to produce a standard that will be, at the end of the day, voluntary doesn't bode well for the success of an emerging program. The bigger companies that “get it” will commit to the program and will probably become valuable partners in the process. But the smaller companies who have few extra resources and cycles to apply to this program will simply opt out of it.
We're not in Kansas anymore!
This Wizard of Oz nod alludes to the fact that the game we play today -- with international intellectual property spies and thieves, criminal hacker crews versus corporations, and even nation-states versus government agencies -- is completely different than the threat landscape even five years ago. It's extremely important that we protect the components of our critical infrastructure, but that still leaves a huge target base for our adversaries to operate within. Eventually, we will have to solve that problem too, but will that take another 15 years to accomplish? More importantly, will we ever address them or simply count them as collateral damage?
Protecting our critical infrastructure is one of the most serious national security issues we face today. Yet, for the past 15 years, we have struggled to make progress in this arena. We need to dedicate significantly more technical, human and capital resources to solving this problem. We also need to take stronger diplomatic actions against countries that perpetrate these crimes or harbor criminals that execute these attacks on our critical and non-critical infrastructure.
Being the eternal optimist, I'm cautiously looking forward to this executive order promoting programs that give us a more proactive response to threats and malicious activity heading in our direction. But, as with all things, the devil will be in the details.