Government and Industry Collaboration: The Long Path to Trust and Sharing

Agencies are stepping up to the plate and contributing active intelligence to threat sharing programs, a big step on the long and challenging path to effective cybersecurity information sharing.

Both government and industry have recognized for years that cooperation is necessary to defend against increasingly sophisticated, organized and well-resourced cyber adversaries. Sharing of threat information has been hampered by a lack of trust, however. Companies often are reluctant to share with competitors and even with partners. And everyone has been reluctant to share with government, which has been hesitant to share with the private sector.

Effective information sharing is beginning to occur

But cracks finally are appearing in these walls and effective information sharing is beginning to occur. Government agencies are taking a more active part in sharing programs, and technical standards for sharing across broader communities of interest are being developed.

Overcoming the fear of Big Brother

The role of government in sharing security information has been problematic. The federal government operates large IT enterprises and is charged with defending the nation’s critical infrastructure, making it both a prime source and consumer of threat intelligence. But concerns about liability, privacy and competition have made companies reluctant to provide information to government. Agencies, in turn, have been unwilling to share their own sensitive information.

This has resulted in barriers to getting information into the hands of those who need it. Ron Gula, in an opinion piece for the Christian Science Monitor’s Passcode published in October 2015, advocated greater government transparency in its cybersecurity efforts, saying that “security through obscurity” is not an effective policy.

The Homeland Security Department’s Automated Indicator Sharing (AIS) program has recently emerged as an enabler for sharing. AIS is a voluntary hub for exchanging information among public and private sector organizations. It began receiving and disseminating threat indicators in March, and according to reports some 40 companies and 10 agencies have signed on with AIS.

The government’s willingness to give as well as receive goes a long way toward building trust

Interestingly, the agencies are supplying most of the information and companies primarily are consumers. This demonstration of the government’s willingness to give as well as receive goes a long way toward building trust.

Building on standards

Sharing works best in formal programs with trusted partners and established policies and practices. Toward this end, technical standards and best practices are being developed by both government and industry.

Sharing works best in formal programs with trusted partners and established policies and practices

One of the challenges of sharing cybersecurity intelligence is that it is likely to contain sensitive information that can reveal things about the source of the intelligence, resulting in risks to confidentiality, privacy and liability. To help limit these risks, the National Institute of Standards and Technology has released Special Publication 800-150, a Guide to Cyber Threat Information Sharing.

“By exchanging cyber threat information within a sharing community, organizations can leverage the collective knowledge, experience, and capabilities to gain a more complete understanding of the threats the organization may face,” the authors write. They provide a list of recommendations for establishing information-sharing programs, relationships and capabilities.

As NIST points out, info sharing works best within communities, and industry-specific Information Sharing and Analysis Centers (ISACs) have been operating since 1999. There now are more than 20 ISACs sharing information. The administration now has broadened the criteria defining an info-sharing community beyond industry sectors under a 2015 executive order. According to DHS, new Information Sharing and Analysis Organizations (ISAOs) will accommodate groups that do not fit neatly into the sector-based ISAC structure.

“ISAOs may allow organizations to robustly participate in DHS information sharing programs even if they do not fit into an existing critical infrastructure sector, seek to collaborate with other companies in different ways (regionally, for example), or lack sufficient resources to share directly with the government,” DHS said.

A new ISAO Standards Organization has published the first set of voluntary standards for setting up private-sector ISAOs.

Taking part

Continuing the progress on the path to information sharing requires participation. Contributing and using cybersecurity information not only can help improve your agency’s cybersecurity posture, but helps create a more secure cyber ecosystem. To learn more about the best practices and standards for information sharing, you can read the publications from NIST and the ISAO Standards Organization.

To participate, check the resources at the DHS Automated Indicator Sharing program or the National Council of ISACs. A series of public meetings and workshops are being held to kick off the new ISAOs. Learn more about them at DHS or the ISAO Standards Organization.

While much work remains, the cybersecurity balance seems to be tipping away from self-interest to cooperation and that’s a good thing. After all, we’re all in this together.