Information Sharing: Key to Addressing Today’s Attacks

Many organizations—especially government agencies or heavily regulated businesses—are nervous about sharing this data, for fear of reprisals if information about successful attacks becomes public. And politicians and security experts say this is an issue that needs to be solved if businesses are going to have the chance to succeed.

Targeted, sophisticated cyberattacks used to be a concern mainly for large enterprises. They have valuable assets and intellectual property, so attackers tend to focus on them. But in the last couple of years, these threats have moved down the ladder and now businesses of all sizes are facing these kinds of attackers.

One of the more valuable defenses against sophisticated attackers is information, data on how they operate, what their tactics are and what the indicators of a new compromise are. But for many businesses, getting their hands on that kind of valuable information can be challenging. Without a large security staff to collect and analyze that data, the task is quite difficult. What makes it even more challenging, though, is the unwillingness of government agencies and many larger private sector firms to share the threat and attack data they have.

Tom Davis speaks on the issue at the 2014 Government Cybersecurity Forum

Many organizations—especially government agencies or heavily regulated businesses—are nervous about sharing this data, for fear of reprisals if information about successful attacks becomes public. And politicians and security experts say this is an issue that needs to be solved if businesses are going to have the chance to succeed.

“We need Congress to address this issue if we’re going to have meaningful information sharing,” former Virginia Congressman Tom Davis said at the Kaspersky Government Cybersecurity Forum in Washington, D.C. this week. The end result is that you have a lot of good people who spend a lot of time on this but nothing happens. And if nothing happens, then that makes these scenarios much more likely. This shouldn’t be complicated in the scheme of things.”

The value of sharing information about attacks was highlighted during a blackout that affected the East Coast of the United States and part of Canada in 2003. Karen Evans, who was the CIO of the Department of Energy at the time, said that one of the things that helped address the problem was the line of communication that had been established with peers in Canada.

wide2

Form left: Mike Lennon, Howard Schmidt and Karen Evans.

“It went all the way up to Canada and the informal relationship we had with them,” Evans said during the Kaspersky Government Cybersecurity Forum. “We could open things up and have a secure dialogue with them.”

Many industries have formal information sharing centers set up to help address the problem, including financial services, energy and others. But the informal relationships can be just as valuable, as Evans pointed out. Those are the relationships built up at conferences, industry events and elsewhere. Just having the information isn’t enough, though.

“It’s what you do with that information that’s going to make or break the organization,” she said.

Tips