Information security is forever weaved into our daily lives. From the massive data breaches impacting Target, Yahoo and Anthem to IoT-powered DDoS attacks that take down substantial portions of the internet for extended periods of time, information security impacts everyone.
The reality is providing protection in this kind of environment is so challenging that no single entity, whether it’s a company or a government agency, can accomplish this task alone. There needs to be some kind of cooperation between the private and public sectors. This leads to the questions of what kind of relationship should the government and companies have, how can they work together and what’s preventing this process from happening?
Government agencies and enterprises can’t hoard information
The first step is realizing and accepting that three-letter acronym government agencies can’t be walled gardens of secrets pertaining to information security. Of course, in the intelligence world, there is highly sensitive data that can’t be shared, and I wouldn’t expect these secrets to be offered to the private sector. I’m referring to information on attacker tactics, techniques and procedures—data that companies could use to keep themselves safe.
Knowing about a PowerShell technique that attackers are using in their campaigns, for example, or other creative hacking methods that the adversary has developed is incredibly useful information for companies. Armed with this knowledge, security and IT teams can look for this kind of behavior in their environments, detect attacks and mitigate damage.
Enterprises, meanwhile, should share this same kind of information with the government. Attribution details should be omitted. Discovering what group, nation-state or organization carried out an attack is nearly impossible given the methods adversaries use to conceal their tracks or throw off defenders. For instance, hacking is now a service that can be purchased, providing anyone who’s willing to pay with the ability to carry out cyber crimes. Additionally, knowing who was behind an attack doesn’t really do much to protect a business from future attacks.
The National Council of ISACs already allows for the sharing of threat information across companies in the same verticals. This is a fantastic mechanism for helping to protect enterprises, but more can be done. There needs to be way to share information between verticals, both in the U.S. and internationally. The threats that businesses face aren’t restricted by international boundaries or industries. A zero-day that targets an unpatched software flaw will work whether that application runs on a computer at a German steel manufacturer or a Japanese drug maker.
Treat information security like crime or terrorism
The sharing of information around matters related to criminal activity and terrorism is already common among every level of government, both nationally and internationally. The general feeling around combatting major crimes and terrorism is that both of these topics are so vast a single organization can’t tackle them. What’s fascinating to me is that information security isn’t handled in the same fashion, although it’s also a problem that’s massive in scope and the risk can’t be completely removed by just a single law enforcement agency or government.
Software is being used as a weapon to commit major crimes across the world, but there isn’t any impetus for the private and public sectors to work together on better protecting citizens and enterprises. So, what’s the hold up in the information security space?
The information security community is reluctant to share information because how to protect computers, servers and users is seen as an IT problem. Under the IT mindset, security is still about protecting one machine at a time and resolving an issue as quickly as possible. This myopic approach doesn’t take into account that an attack is an intricate and detailed plan with many components spread across an IT environment. It also doesn’t treat attacks as a criminal problem. Since security is viewed as fixing a broken machine, not much thought goes into breaking down the walls that prevent information from being spread between enterprises. In other words, we’re missing the big picture of how to keep everyone, not just one company, safe.
The good guys need to evolve how they think about handling information security and see it similarly to combatting crime and terrorism. Hopefully, this mentality will lead to information sharing between the government and private sector and ultimately return power to the defenders.