This post is also available in: עברית (Hebrew)
The emergence of the cyber threat phenomenon is forcing organizations to change the way they think about security. One of these changes relates to organizations’ policy on sharing cyber information with outside parties. This means shifting away from the view of the organization as an isolated, compartmentalized entity towards a view of the organization as a sharing one. Sharing generates a complex, multifaceted challenge to technology, law, organizational culture and even politics. Establishing a system of sharing serves many parties, including regulatory bodies, governments, legal authorities, intelligence agencies, the manufacturers of solutions and services, as well as the organizations themselves, but it also arouses opposition among elements within the organization, and organizations defending the right for privacy.
The purpose of this essay is to present the various challenges posed by cyber information sharing, expose the reader to its conceptual world, and present some insights and forecasts for its future development.
One of the most difficult challenges faced by organizations is confronting the cyber threat phenomenon. The increased use of technology in organizations of any kind – government, public, and private – turns them into targets of attacks aimed at gathering or damaging information, or suspending services.
Attacks on commercial organizations are liable to harm the organizations’ reputation, endanger physical assets and intellectual property, and cause serious financial damage. Attacks on governments, public bodies, and infrastructures may also disrupt the routines of entire nations and jeopardize the health and safety of their citizens.
Over the last decade, traditional crime has crossed into cyberspace; the growing sophistication of cracking tools and attack vectors has led to the creation of a new, developed and sophisticated cyberspace crime economy. A similar process has also occurred in the sphere of warfare between nations, as many now view cyberspace as the fifth dimension of the modern battlefield, in addition to sea, land, air, and space.
Confronting the cyberspace threat requires an investment in human and technological infrastructures based on an organizational or national risk management policy. The quality of an organization’s information security system is affected by different factors, among them the ability to gather and analyze information on legitimate user traffic as well as attacks, regardless of their success. This allows one to identify vulnerabilities in the security system and prevent their exploitation, while identifying and responding to attacks and breaches quickly and effectively, thereby preventing or at least minimizing the damage.
Sharing organizational cyber information is the act of communicating information regarding an organization’s security to an external party. While such sharing results in gains for both parties, it does, however, create a complex, multifaceted challenge and represents a shift in the traditional information technology paradigm. The sharing model may exist within the same sector, across different sectors, between commercial enterprises and government bodies, and between different governments. The last two years have seen an increase in the sharing trend; regulatory and law enforcement bodies, both local and international, are promoting it by means of incentives, guidelines and legislation. Concurrently, a security solutions industry based on information sharing among bodies is developing rapidly.
Since the end of 2011, legislation on cyber information sharing has been advanced. The purpose of the proposed law is to allow private and public companies, in the context of cyberwar, to share information in real time with the government, law enforcement and intelligence agencies without risking lawsuits for violating secrecy or privacy. The bill passed in the House of Representatives, went through a round of adjustments in the Intelligence Affairs Committee, and is still in the process of legislation in the US Senate. Its opponents claim that it violates the Fourth Amendment to the Constitution, which defines parameters for search and seizure of citizens’ personal information, such as warrants or reasonable grounds.
According to opponents of the bill, the new legislation would allow intelligence agencies to receive personal or commercial information from infrastructure and content providers without the checks delineated in the Fourth Amendment. Groups dealing with the problems inherent in the bill are trying to enlist public support to oppose and prevent it from becoming a law, by running a campaign in the social media and on the internet in the United States.
The tension between supporters and opponents of cyber information sharing legislation is not unique to this area, but touches on the entire issue of privacy in the interface between the state and its citizens and the involvement of Big Brother. An example of a similar conflict may be found in the Smart City initiative in Britain, which includes covering cities with cameras and face recognition software.
Trends in the contemporary development of the cyber threat phenomenon include using attack methodologies focused on specific targets rather than being randomized, crossing geographical and legal borders, taking advantage of unidentified vulnerabilities, and using bits of malicious, modular code in cyberspace.
The attackers maintain a flourishing, structured community with internal order and a supporting system of financing, allowing easy and rapid sharing of attack information. It seems that the realization of the community model on the defensive side and transitioning from a paradigm of isolated organizations to an information sharing initiative will lead to better results. In a broader view, one of the most significant resources coming into being in the 21st century is the wisdom of crowds.
The greater challenge is faced by organizations whose business is essentially linked to cyberspace, such as security solutions, software products and services manufacturers, and the large project and integration bodies in the field. The question remains: is it possible to formulate a worthwhile working model among these manufacturers so that they will share cyber information, even though security and cyberspace are part of the field in which they compete? Such a model must include both elements of competition and of cooperation (coopetition) in a way that would provide advantages to each of the partners over time.
The disagreement between supporters and opponents of information sharing will continue. Given that, and given all the aspects of the topic discussed in this essay, the question that must be asked is this: is there a different paradigm in the world of information technology that would allow dealing with current and future cyber challenges without the need for sharing, or is there no choice but to join forces in the battle and rapidly adopt uniform standards for a sharing infrastructure? Either way, such an infrastructure must maintain a balance between individual rights and the state’s ability to defend its infrastructures, assets and citizens.
Written by: Aviram Zrahia