Edgewise is now part of the Zscaler family. Learn More

Fostering Public-Private Collaboration on Cybersecurity

Improved cybersecurity communication and collaboration between public and private sector organizations has been a goal—or perhaps a dream—for many years. Both sides have taken strides to meet in the middle, but true collaboration is a long way off. The 20 different Information Sharing and Analysis Centers (ISACs) and the National Cybersecurity and Communications Integration Center (NCCIC) are perfect examples of organizations formed to foster partnerships between public and private entities, and these groups have been successful. However, their success has been tempered by what’s often perceived as one-way sharing — the flow of information from private companies to public sector counterparts.

The truth is that government entities are open to information gathering but often are restricted in what they are able to share in return. With cybersecurity crossing into issues of national security, a lot of information collected by the U.S. government about adversaries, attacks, and attack techniques becomes classified; only those with sufficient security clearance are privy to that type of information. That means: not most private sector employees, even the ones tasked with finding, investigating, and remediating their own companies’ cyber threats and attacks every day. In some cases, the adversary might be the same for private and public organizations, but because one group has restrictions on who can discuss what, private sector employees don’t benefit from public sector cyber threat intelligence

This is extremely unfortunate since collaboration and communication about adversaries’ tactics, techniques, and procedures (TTPs) would be universally advantageous. In the case of cyber risk, the more you know, the better able you are to create defenses against known and possible threats. Besides, it’s fairly accepted knowledge that adversaries are not only sharing their own TTPs, but also information about targets — where vulnerabilities exist, what types of systems and data they use, any personal information about high-profile targets that could be useful in phishing, etc. In other words, the bad guys are sharing—and succeeding—so logically the good guys should be sharing too.

Roadblocks to cyber threat intelligence sharing

Despite best intentions, there are several issues with a truly open system of information sharing between sectors. In addition to the aforementioned security clearance obstacle, private companies have serious concerns about fully sharing cyber threat intelligence with government counterparts. For one thing, there is bias on the part of private sector employees to believe that the “real skill” resides in the private sector. Government employees are historically paid less than those working in industry, plus they are regularly subjected to heightened restrictions on how they’re able to protect their organizations. In what’s essentially a zero vacancy field, the talent is likely go to where the money goes and where creativity is prized. This begets an imbalance in the level of faith private sector employees have in their private sector peers’ abilities to contribute equally. With trust at a minimum, the desire to collaborate decreases.

Secondly, private sector intelligence and security professionals have concerns about disclosing breach details and private data (especially during an active incident) to government entities. The concerns center around losing control of investigations, opening up the company to external criticism of current practices (and therefore regulations or lawsuits), and damage to the company’s brand due to uncontrolled breach disclosure. While government officials are better able to prosecute or “hack back” (without legal consequences) against adversaries, exposing highly sensitive data about a breach leaves private organizations vulnerable to threats beyond cyber.

Stay on the cutting edge. Subscribe to our blog.

A third major hurdle to cyber intelligence sharing between public-private organizations is lack of a common framework for how to handle attacks, and a common language to describe them. To date, responding to a cyber incident is highly dependent on the organization affected and the organization’s available resources. While every attack is different (thus step-by-step instructions would be impossible), a common framework, similar to the NIST Cybersecurity Framework that helps companies build and manage a security program, would allow entities to standardize processes and language, which would aid information sharing efforts.

Finally, private sector organizations may be concerned that if they communicate details about their “failures” and ask government organizations to collaborate on developing best practices, they will expose information that could lead to (additional) regulatory requirements. Thousands of laws and regulations have been passed over the last decade, and private sector security practitioners are wary of the positive impacts. Working towards compliance is not something security professionals desire, and most have recently watched as GDPR has completely upended security programs. Though the intent of cybersecurity regulation is to improve companies’ risk posture, the result is often years of work and millions of dollars spent.

Approaches to cyber sharing

Rather than focusing on the detriments of cybersecurity regulation, more communication and collaboration from the private sector on how to write and what to include in proposed laws would be tremendously helpful. At present, the problem with most guidance is the lack of cooperation and the ambiguity in roles and repercussions in the face of an incident. With clearer goals and expectations from both sides, progress can be made. Partnerships cannot be one sided; they must be fostered, with both parties trusting the other fully.

Achieving effective intelligence sharing starts with a mutually developed and agreed upon policy. This means that both sides must lay out expectations and discuss the realities of what information can be shared, how it should be shared, and any consequences of sharing sensitive information. For instance, if private sector organizations fear financial or regulatory repercussions from sharing details of a a breach, they’ll be less likely to disclose such information when not required to. If, however, guidelines are established to protect companies from such consequences (except when they run afoul of already-established regulations), the flow of information will be greater.

Further, private companies need to feel they’re getting as much as they give. In other words, government entities can’t continue to hold back on cyber threat intelligence sharing. Naturally, classified information cannot be divulged nor can information that puts the public in harm’s way. That said, the public sector needs to develop a mechanism for sharing that preserves caution while benefiting private organizations trying to prevent cyber intrusions. This may take the form of a new framework or even just a common language to share cybersecurity information that preserves anonymity. Whatever the approach, cyber threats are certain to continue and ignoring the need for better and more frequent collaboration between defenders won’t help anyone make great gains against persistent adversaries.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.