The value of information sharing and the risks of cyber shaming
By MJ Shoer
As the complexities and sophistication of cyber security threats continue to evolve, the need for effective information sharing has never been greater. We all understand that the fight against the bad actors is not one that we can win on our own. The latest and greatest tool – whatever it is this week – is really just one piece of the complex puzzle that must be assembled to have a truly effective cyber security posture.
It’s imperative to take an approach based not on what you can do to prevent an attack, but on what you do when you know you've been attacked and what the extent of that attack was. In other words, assume you will be attacked and that the attack will be successful.
Why disclosing security information is important
Information sharing is not a new concept. In 1998, the Clinton Administration created Presidential Decision Directive-63 (PDD-63) in order to create Information Sharing and Analysis Centers (ISACs) around critical infrastructure such as nuclear power, energy, aviation, financial services, etc.
These organisations share critical cyber threat information between the government and private sector partners in these identified critical infrastructure areas. In 2015, under the Obama Administration, Executive Order 13691 was issued, directing the Department of Homeland Security to create Information Sharing and Analysis Organizations (ISAOs). ISAOs differ from ISACs in that they may be formed around industry segments, communities of interest and more. The goal for information sharing is to increase collaboration between government and private sector to enhance the cyber security resilience of everyone involved.
Fast forward to today and let’s take a look at the SolarWinds event that came to light at the end of 2020. I refer to this as an “event” because I believe calling it a hack or breach does not impart the true gravity of the event. As more information continues to come to light, almost daily, it is clear that this was a foreign intelligence gathering operation carried out exclusively in cyber space. We still do not understand the motivation for the event, but given its known targets in the federal government, academia and private industry, it appears to be an extensive information gathering activity, the outcome of which may not be fully known for years.
This was not something that any one tool was going to prevent. The sophistication and level of patience and persistence is something we have not seen before. While it was an attack on the software supply chain, perpetrated in a manner not previously seen, emerging evidence may also suggest other avenues of penetration. The point is that technology alone was not going to stop this type of sophisticated activity.
However, what if one or more of the organisations involved felt comfortable coming forward and sharing anomalies that they were seeing on their networks? We don’t yet know how many victims may have seen concerning activity on their networks, but what we do know is that organisations across the world fear cyber shaming.
I think of cyber shaming as the negative outcome of letting a cyber security event be known in the public forum. Think about the reputational damage done to companies like Target and Equifax, government agencies like the Office of Personnel Management (OPM) and others who have had cyber security events, be they hacks, breaches or insider threats, released to the public. Instead of being praised for letting the world know of these events, they are most often vilified, cyber shamed if you will, for not having robust enough security to prevent such an attack.
It’s time to overcome the fear of admitting you’ve been hacked
This notion of cyber shaming takes me all the way back to 2009, when I testified before the US House Subcommittee on Oversight and Reform on behalf of CompTIA on the topic of information security and updates to the Federal Information Security Modernization Act. During the interactive Q&A with lawmakers after our opening statements, the panel had the opportunity to interact with the members of the subcommittee. One member, a Congressman from Southern California, made a very strong statement to the effect of (I am paraphrasing here): “Do you mean to tell me in this day in age, in the greatest country on earth, we can’t come up with technology to prevent security risks?” To which I responded: “Mr Congressman, with all due respect, there is no technology in the world that can get between your finger and the enter key on your keyboard.” My point was that the individual computer user is often the last line of defence when it comes to cyber security. Fast forward 12 years and not much has changed.
I contend that in many ways, this is due to cyber shaming. Whether as an individual or as an organisation, there is too much fear around admitting to a possible cyber security event. There should not be. We must encourage individuals and organisations to come forward and share every concern they may have about events taking place within their infrastructure. The only chance we have to get ahead of the bad actors is to share information, just like they do! Yes, the bad actors actively share their successes and their failures, to help one another be more effective in their attacks. We, the good guys, have been remiss in not sharing nearly as effectively as the bad guys.
Thinking back on the SolarWinds event, imagine what may have happened if one or more attacked organisations had shared that they were seeing some suspicious activities on their networks. If this information had been shared to their communities, ISACs or ISAOs, maybe enough people would have looked for the same suspicious activity and caused the bad actors to push back from the table and reconsider their operation. I’m not saying this would have prevented it, but we also cannot say that it may not have. Worst case, it may have given the attacked organisations more time to understand what was happening and shut it down before the operation was able to get in and quietly do its damage for months, if not longer.
It is my opinion that cyber shaming is as much a danger to our collective cyber security defences as any other risk. We have to change the equation and that starts with encouraging individuals and organisations to come forward with anything concerning they may do or encounter. Only then can we leverage the masses to alert and beware of similar circumstances within their own infrastructure.
Coupled with effective defensive technologies, proactive monitoring and user education, to name a few, the sharing of timely and actionable cyber threat intelligence will provide us with the strategic edge we need to get ahead of the bad actors. If we truly hope to protect our businesses, those of our customers and the stability of both the global economy and our societies, we must share this critical information.
This is why cyber security is a priority for CompTIA in 2021 and why we brought the CompTIA ISAO to our members. Together, we will fight back against the bad actors and raise the cyber security resilience of the global tech industry.
MJ Shoer is senior vice-president and executive director of the CompTIA ISAO.Click here to learn more how the CompTIA ISAO is helping technology vendors, MSPs, solution providers, integrators, distributors, and business technology consultants advance the cyber resilience of the entire tech industry.