Opinion: Information sharing works best if intel comes with an action plan
The ultimate goal of information sharing is to stop attacks and improve overall cybersecurity. For this to happen, however, threat information has to be accompanied by crisp, well-thought-out response plans.
The Internet makes everyone neighbors in cyberspace. But despite pockets of excellence online, the Web still requires a quality neighborhood watch program. And the current one is broken.
It's been more than 15 years since cyber information sharing became a government priority, relying heavily on a directive from President Bill Clinton. That order resulted in government information-sharing organizations and called on nonstate critical infrastructure sectors to create Information Sharing and Analysis Centers. After a decade and a half, sharing still falls short of what Clinton intended.
But even though sharing is difficult, it's not impossible. There are plenty of good examples for Congress to examine as it considers new information-sharing legislation that President Obama has advocated for in recent speeches and with an executive order signed at Stanford University last week.
Here are a few examples in which sharing works smoothly, at least most of the time:
One of the few truly successful examples of government sharing is the result of Obama's 2013 executive order to improve the cybersecurity of critical infrastructure. As a result of that, anytime the government discovers that an American company has been the victim of a hack, the new "default" action is for the Department of Homeland Security or the FBI to notify that company with enough details to identify the attack.
Few successful sharing programs, however, are run by governments. In fact, the best-known examples of successful sharing are still those Clinton-era information sharing centers.
Due to its strong operational responses in the face of attacks, the Financial Services Information Sharing and Analysis Center is widely considered to be the most effective. Its success is due, in part, to extremely deep-seated trust between participants, close cooperation with its government partners, and the continuous commitment of bank executives for more than 15 years.
Another successful sharing group is the Industry Consortium for Advancement of Security on the Internet, a coalition of major Internet companies that are intent on defeating cyberattacks. Sharing works here, not just because the consortium is a relatively tight-knit group – which makes trust easier – but because the group is focused on outcomes rather than process.
The last sharing examples are small, private, and possibly the most effective. There are about two dozen tight trust networks of the most technically skilled defenders, all eager to share with one another in order to thwart attacks. To join one of these groups, one “must be able to get your hands on a lever or a knob,” so participants are from major telecommunications providers or cybersecurity companies, according to Jeff Moss, founder of the Black Hat network security conference and a participant in several such groups.
After all, "why share with organizations not in a position to deal with” actual security problems, asks Mr. Moss.
To foster more such success stories, information sharing must not be thought of as an end in itself. The ultimate goal of sharing should be outcomes, stopping attacks and improving overall cybersecurity.
To ensure this happens, all sides must drive their information-sharing efforts with crisp, well-thought-out incident response plans. After all, how can organizations know what information needs to be shared if they don't know how to respond to different kinds of incidents? How do they know the information requirements?
DHS should accordingly reinvigorate the National Cyber Incident Response Plan, which is now little more than an organizational chart in long-form prose. This time around, it should be focused squarely on desired outcomes (like stopping massive attacks or patching critical vulnerabilities). DHS should start by examining case studies of past incidents ("how did we do this last time?") that then inform initial response plans focused on needed actions and decisions ("how should we do it better next time?") and the resulting information requirements ("what information do we need to make better decisions?").
Nearly all of the most-successful sharing groups trade information only incidentally; their core mission is stopping cyberattacks or closing vulnerabilities. Similarly, not all kinds of sharing are equal, as most organizations involved in cyberdefense are net consumers – not suppliers – of shareable cybersecurity information.
So government policy should be equally focused on encouraging groups that solve problems, rather than just those that share information. The new information sharing and analysis organizations being encouraged by the White House will likely be far more successful if built around groups like Industrial Consortium that are dedicated to outcomes.
With cybersecurity, defenders should identify ways to get information besides sharing it. Actionable information is already pooling throughout cyberspace and focusing on sharing ignores other ways to get that data: Getting threat data from cybersecurity companies does not require elaborate on-ramps of trust, just a credit-card number.
To ensure that government agencies are sharing enough actionable information, the White House should create sharing ombudsman positions at DHS, FBI, the Office of the Director of National Intelligence, and the National Security Agency and Central Intelligence Agency.
Currently, sharing is essentially a barter system, neither institutionalized nor part of a transparent marketplace. Cybersecurity information is likely no different than other human endeavors where markets can close persistent gaps between demand and supply. Congress and the White House should continue their conversations with the cybersecurity industry to best determine how to unleash market forces so the supply of cybersecurity information can meet the demand.
By working in tandem and focusing on outcomes, the public and private sectors can bolster their defenses, reduce the potency of malicious attacks, and make cyberspace a more peaceful neighborhood for all.
Jason Healey is the Director of the Cyber Statecraft Initiative of the Atlantic Council and editor of the first history of cyber conflict, "A Fierce Domain: Cyber Conflict, 1986 to 2012." You can follow his thoughts and analysis on cyberissues at @Jason_Healey.