Opinion: Information sharing works best if intel comes with an action plan
The Internet makes everyone neighbors in cyberspace. But despite pockets of excellence online, the Web still requires a quality neighborhood watch program. And the current one is broken.
It's been more than听15 years since cyber听information sharing became a government priority, relying heavily on a directive from President Bill Clinton. That order resulted in听government information-sharing organizations and called on听nonstate critical infrastructure sectors to create Information Sharing and Analysis Centers.听After a decade and a half, sharing still falls short of what Clinton intended.
But even though sharing is difficult, it's not impossible. There are plenty of good examples for Congress to examine as it听considers new information-sharing legislation that President Obama has advocated for in recent speeches and with an 听signed at Stanford University last week.
Here are a few examples in which sharing works smoothly, at least most of the time:
One of the few truly successful examples of government sharing is the result of Obama's 2013 executive order to improve the听. As a result of that, anytime the听government discovers that an American company has been the victim of a hack, the new "default" action is for the听Department of Homeland Security or the FBI to notify that company with enough details to identify the attack.
Few听successful sharing programs, however,听are run by governments.听In fact, the听best-known examples of successful sharing are still those Clinton-era information sharing centers.
Due to its strong operational responses in the face of attacks, the听听is听widely considered to be the most effective. Its success is due, in part, to extremely deep-seated trust between participants, close cooperation with its government partners, and the continuous commitment of bank executives for more than 15 years.
Another successful sharing group听is the听, a coalition of major Internet companies that are intent on defeating cyberattacks. Sharing works here, not just because the consortium is a relatively tight-knit group 鈥 which makes trust easier 鈥 but because the group is focused on outcomes rather than process.
The last sharing examples are small, private, and possibly the most effective. There are about two dozen tight trust networks of the most technically skilled defenders, all eager to share with one another in order to thwart attacks. To join one of these groups, one 鈥渕ust be able to get your hands on a lever or a knob,鈥 so participants are from major telecommunications providers or cybersecurity companies, according to Jeff Moss, founder of the Black Hat network security conference and a participant in several such groups.
After all, "why share with organizations not in a position to deal with鈥 actual security听problems, asks Mr. Moss.
To foster more such success stories, information sharing must not听be thought of as an end in itself. The ultimate goal of sharing should be outcomes, stopping attacks and improving听overall cybersecurity.
To ensure this happens, all sides听must drive their information-sharing efforts with crisp, well-thought-out incident response plans. After all, how can organizations know what information needs to be shared if they don't know how to respond to different kinds of incidents? How do they know the information requirements?
DHS should accordingly听reinvigorate the National Cyber Incident Response Plan, which is now听little more than听an听organizational chart in听long-form prose. This time around, it should be focused squarely on desired听outcomes听(like stopping massive attacks or patching critical vulnerabilities). DHS should start by examining听case studies of past incidents ("how did we do this last time?")听that then inform initial response plans focused on needed actions and decisions听("how should we do it better next time?")听and the听resulting information requirements ("what information do we need to make better decisions?").
Nearly all of the most-successful sharing groups trade information only incidentally; their core mission is stopping cyberattacks or closing vulnerabilities. Similarly, not all kinds of sharing are equal, as most organizations involved in cyberdefense are net consumers 鈥 not suppliers 鈥 of shareable cybersecurity information.
So government policy should be equally focused on encouraging groups that solve problems, rather than just those that share information. The new information sharing and analysis organizations being encouraged by the White House will likely be far more successful if built around groups like Industrial Consortium that are dedicated to outcomes.
With cybersecurity, defenders should identify ways to get information听besides听sharing it. Actionable information is already pooling throughout cyberspace and focusing on sharing ignores other ways to get that data: Getting threat data from cybersecurity companies does not require elaborate on-ramps of听trust,听just a credit-card number.
To ensure that government agencies are sharing enough actionable information,听the White House should create sharing ombudsman positions at DHS, FBI, the Office of the Director of National Intelligence, and the National Security Agency and Central Intelligence Agency.
Currently, sharing is essentially a barter system, neither institutionalized nor part of a transparent marketplace. Cybersecurity information is likely no different than other human endeavors where markets can close persistent gaps听between demand and supply.听Congress and the White House should continue their conversations with the cybersecurity industry to best determine how to unleash market forces so the supply of cybersecurity information can meet the demand.听
By working in tandem and focusing on outcomes, the public and private sectors can bolster their defenses, reduce the potency of malicious attacks, and make cyberspace a more peaceful neighborhood for all.
Jason Healey is the Director of the Cyber Statecraft Initiative of the Atlantic Council and editor of the first history of cyber conflict, "A Fierce Domain: Cyber Conflict, 1986 to 2012." You can follow his thoughts and analysis on cyberissues at @Jason_Healey.
听
