Both parents and Sesame Street extol the virtues of sharing, but in the field of information security, we tend not to be very good at it, especially when it comes to private companies sharing information about data breaches with the U.S. Department of Homeland Security. We say that this needs to change.
While we are all aware of the risks, we may not be as clear on the benefits of the good guys trusting each other. Threats are growing in both scope and sophistication. In its 2015 Internet Security Threat Report, Symantec estimates advanced hackers targeted 5 out of 6 large companies, a 40% increase over the prior year.
Tough to Trust
It’s easy to come up with reasons not to share data breach information with the government. Whenever a company shares information outside its four walls, it’s conceivable that sensitive data could be exposed. And sharing information about a data breach also means sharing that you have a weakness. No one in the business world is eager to do that.
The reservations were evident at the CIO Network Conference, which was held six weeks after the Cybersecurity Information Sharing Act (CISA) became law in December. CISA provides liability protection for companies willing to disclose breaches to the government. But despite these new protections, only 58% of CIOs at the Wall Street Journal-sponsored conference said the law made them more likely to cooperate with the government if their systems were hacked.
Know Your Enemy
While the reluctance to share information is defensible, it’s ultimately self-defeating as our adversaries become more skilled. At the conference, Department of Homeland Security official Andy Ozment divided those adversaries into five buckets, and the toughest of them won’t be beaten if companies stand alone:
- Vandals: They’re trying to damage your reputation.
- Burglars: They’re after money.
- Thugs: They want to punch you because they can.
- Spies: They’re trying to steal international secrets or intellectual property.
- Saboteurs: They infiltrate your infrastructure and wait for a time of conflict to act.
Adversaries in the first three categories aren’t as dangerous, Ozment said, because the feedback cycle – the information a system provides about itself – enables companies to detect their types of intrusions within a few months. But spies and saboteurs are expert at hiding. Companies may not detect the intrusion for years. Ozment said the primary ways to detect a spy or saboteur are 1) to look at traffic leaving your network and 2) work with the government to share threat information. The latter helps uncover indicators to enhance threat detection and abatement. Without broad participation by private companies, however, its effectiveness is compromised. Spies and saboteurs stay hidden, free to use the same methods to infiltrate other victims.
Strength in Numbers
If the basic reason for not sharing info is common-sense risk aversion, then the basic reason to start sharing is another common-sense axiom – There’s strength in numbers. Here are three reasons why:
- We operate in a global environment – no single entity can be fully aware of all threats and attacks.
- Information-sharing can help companies learn from each other, so they can proactively shore up vulnerabilities, or recognize and mitigate the effects of intrusions.
- CISA, the new cybersecurity law, provides protections that anonymize any reports and discard irrelevant info. The law also ensures the data can’t be accessed for regulatory purposes, and isn’t accessible in civil litigation or via Freedom of Information Act requests.
The truth is that our adversaries are formidable, and the ground to defend is expanding, with Gartner predicting more than 6.4 billion connected devices in 2016 – a 30% increase over 2015. We need to trust each other.
At Equinix, we encourage industry collaboration by convening occasional meetings of 12-15 information security officers where we learn from each other. The government, with its broad reach, can multiply the effectiveness of these kinds of sharing-based security efforts. When it comes to cybersecurity, businesses should view the government as another powerful partner at the table.