Information Sharing: An Essential Cybersecurity Resource

Drexel University’s Online MS in Cybersecurity

The online MS in Cybersecurity at Drexel utilizes the College of Computing & Informatics and College of Engineering’s network of professionals to give students access to the latest research, tools and insights, and prepares students to meet the workforce needs through rigorous academic and experiential practical training. Learn more!

Information Sharing: An Essential Cybersecurity Resource

Information is the absolute most essential requirement in cybersecurity. Yet many cybersecurity professionals don’t have access to ready intelligence from their industry peers.

At one end of the scale is threat intelligence, which helps us as cybersecurity professionals understand the attackers and attack types that are out there both globally and locally. At the opposite end is the lessons-learned exercise that occurs once we have responded to and taken action to resolve an incident, to understand what worked, what didn’t and how we can avoid it happening again.

Yet some cybersecurity professionals lack a highly valuable source of information: easily-accessible insight from peers regarding the attacks they are seeing – particularly when the attackers have been successful and have partly or wholly achieved their goals.

This could be security peers near you geographically (if attackers are targeting your physical locality, that’s highly useful to know) or it could be people in similar industries or markets farther afield.

The Role of Peer Insight

Imagine your security reporting tools are showing massively increased levels of attacks; the virtual walls are staying secure but it is costing you time and money to shore up the defenses to improve your chances of preventing an impact. Now ask yourself: if I phoned my friend who is CISO at one of our main competitors and told them what I am seeing, would this be considered detrimental to the organization?

If the answer is yes, it is worth raising this and reexamining information sharing policies in the organization. The world has acknowledged the fact that the sharing of information about cyber attacks between organizations – even those in vicious competition with each other at a commercial level – is absolutely vital to the common good.

We are not talking about regulatory incident disclosure in this instance. Rather, we are talking about sharing information privately with other organizations. If you are in Europe or the U.K. and you experience a big data breach, then a proactive public statement is usually required to ensure compliance with GDPR – you have to tell the data subjects that their data was compromised, so it’s in the public domain anyway. But that is not information sharing that alone can help prevent repeat occurrences.

Historically, the attitude of many organizations towards information sharing has been not to do it for a variety of reasons, not limited to just confidentiality or commercial sensitivity grounds. The historic notion of “we do not share information” was not as simple as it sounds, as often a number of senior people in a given organization were in favor of sharing – not least because sharing is a two-way street, not just an outbound flow of information. Even with a much smaller nucleus of senior staff being against sharing, organizations would err on the side of caution.

The willingness to share information – and the vehicles via which it can be shared – is growing rapidly. In most sectors, we don’t have to look far to find an Information Sharing and Analysis Center, or ISAC. We can find ISACs in telecommunications, retail, automotive, transportation, chemicals, IT, water, healthcare, … there are far more than there is space to mention them all here.

Even if we don’t use a formal ISAC as a vehicle for sharing, there are structures to share information semi-formally between organizations, in self-organized gatherings. Such discussions can take place under what is known as the Chatham House Rule – a U.K.-originated but now globally used guideline that basically says: you can use the information you learn, but if you want to make it known outside the group it must not cite the source or disclose it in a way where the source could be figured out.

Reason to Share (or Not)

The question to ask senior management is: “Why don’t we share cybersecurity information with others? What problems do you perceive?”. The chances are that you will get one or more of five answers.

First, legal or regulatory restrictions. In the U.K. and Europe in particular, “it is against data protection law” is often referenced as a reason, not just since GDPR legislation came into force in 2018, but for as long as there have been specific data protection laws (which means back at least to the 1990s). However, the information being shared is not people’s sensitive personal data, and it is unlikely to be sensitive data that a financial or information regulator would have concerns about. Regulations and laws are generally straightforward to navigate in this sense.

Next, the fear of reputational damage. Acknowledging publicly as an organization that you’ve experienced a cybersecurity issue has clear reputational consequences. Nonetheless, other organizations will also be thinking: “That could have been us”. You and the people at other organizations you share information with will probably have largely similar cyber regimes and risk profiles. If “impact to the share price” is a measure of reputational damage, remember that you would be entering into sharing information in a closed group with rules around non-disclosure.

Third is trust. It’s not about sharing information arbitrarily without controls or trust. If you or the organization are not comfortable with one or more of the entities in the sharing group, the option is there to withdraw from it (or decide not to join in the first place). If there is a party in the group that you or your organization has legitimate doubts about, the chances are that you are not alone. If you are, simply step back, don’t share and find alternative people to work with. Chances are that others will decide the same and come and find you.

Next, resource fears. If you are a member of a group that generates a significant amount of information that you feel you need to investigate for your organization, there is a risk that dealing with it will overwhelm the resources available to you and your cybersecurity team. Arguably, this is a good problem to have! Few would say: “I have too much information” – your challenge is in fact to work with management and agree what resource can be made available and help them understand that while you may only be processing a fraction of what you are learning, if you were not sharing information you would be missing out on lots of highly valuable intelligence.

Finally, the fear of the one-way street. We mentioned it briefly earlier, but it is easy for an organization to have tunnel vision regarding the meaning of “share”. With cyber information sharing, you are in a room with like-minded and cooperative people, and you’re each having an opportunity to experience each other’s insight and real-world incidents. You are having new experiences, finding new things out and learning about people and their cyber priorities.

Related Insights

• Responding to a Breach Course
• Information Sharing in Cyber Supply Chain Risk Management – A New Model
• Security Administration and Operations Demands a Big Picture View