A third major hurdle to cyber intelligence sharing between public-private organizations is lack of a common framework for how to handle attacks, and a common language to describe them. To date, responding to a cyber incident is highly dependent on the organization affected and the organization’s available resources. While every attack is different (thus step-by-step instructions would be impossible), a common framework, similar to the NIST Cybersecurity Framework that helps companies build and manage a security program, would allow entities to standardize processes and language, which would aid information sharing efforts.
Finally, private sector organizations may be concerned that if they communicate details about their “failures” and ask government organizations to collaborate on developing best practices, they will expose information that could lead to (additional) regulatory requirements. Thousands of laws and regulations have been passed over the last decade, and private sector security practitioners are wary of the positive impacts. Working towards compliance is not something security professionals desire, and most have recently watched as GDPR has completely upended security programs. Though the intent of cybersecurity regulation is to improve companies’ risk posture, the result is often years of work and millions of dollars spent.
Approaches to cyber sharing
Rather than focusing on the detriments of cybersecurity regulation, more communication and collaboration from the private sector on how to write and what to include in proposed laws would be tremendously helpful. At present, the problem with most guidance is the lack of cooperation and the ambiguity in roles and repercussions in the face of an incident. With clearer goals and expectations from both sides, progress can be made. Partnerships cannot be one sided; they must be fostered, with both parties trusting the other fully.
Achieving effective intelligence sharing starts with a mutually developed and agreed upon policy. This means that both sides must lay out expectations and discuss the realities of what information can be shared, how it should be shared, and any consequences of sharing sensitive information. For instance, if private sector organizations fear financial or regulatory repercussions from sharing details of a a breach, they’ll be less likely to disclose such information when not required to. If, however, guidelines are established to protect companies from such consequences (except when they run afoul of already-established regulations), the flow of information will be greater.
Further, private companies need to feel they’re getting as much as they give. In other words, government entities can’t continue to hold back on cyber threat intelligence sharing. Naturally, classified information cannot be divulged nor can information that puts the public in harm’s way. That said, the public sector needs to develop a mechanism for sharing that preserves caution while benefiting private organizations trying to prevent cyber intrusions. This may take the form of a new framework or even just a common language to share cybersecurity information that preserves anonymity. Whatever the approach, cyber threats are certain to continue and ignoring the need for better and more frequent collaboration between defenders won’t help anyone make great gains against persistent adversaries.