There is no quick way for cyber threat information to be shared on a wide scale, according to the European RSA...
Conference Programme Committee.
At a research level, security firms have always shared this information, but concerns about competitors and brand damage make it difficult for commercial companies to do the same.
Significant exchange of threat information is often limited to small, usually sector-based communities, such as banking and finance.
It is only in these smaller communities, where individuals know and trust each other, do people feel confident to talk about the cyber threats they are encountering.
Government has a role to play in providing protection from liability for any organisation sharing cyber threat information, said Hugh Thompson, RSA Conference Programme Committee chair.
“If an organisation reveals that it has been compromised, it needs to be confident it is not opening itself up to legal action,” he said.
The UK government is trying to enable better cross-industry communication through its Cyber Security Information Sharing Partnership (CISP), launched in March 2013.
More on threat sharing
- Information sharing key to security, say European experts
- World needs to understand cyber threat, say Leon Panetta
- UK government launches cyber threat data-sharing partnership
- IT security leaders debate their cyber threat challenges
- OSSIM update enables cyber threat intelligence sharing
- Barack Obama signs cyber security executive order
But even in this context, participants are struggling to overcome trust issues, said Greg Day, committee member and chief technology officer at security firm FireEye.
Another inhibitor, he said, is companies which find a way to counter a particular threat tend to view this as a competitive advantage, and are therefore reluctant to share.
And while many “whitehatters” share to boost their reputation, or in exchange for bug bounties, others prefer to sell to the highest bidders, who typically keep the knowledge to themselves.
Despite initiatives such as the CISP in the UK and the European Union’s proposed directive on network and information security (NIS), cyber sharing tends to happen in isolated pockets of private clubs.
“It will be very difficult to find one tool or mechanism for sharing cyber threat information that suits everyone, it is a complex thing,” said Day.
The UK CISP’s initial discussions have concluded it is important to identify the purpose of sharing information such as early warning alerts.
The UK CISP has also found that it may be necessary to tailor information to the needs of different groups.
“While technical information may be useful to large companies who can translate that into action, smaller companies will need advice on what to do,” said Day.
“Size does matter because sharing such information is based on trust, so more sharing tends to happen in smaller groups,” said John Colley, committee member and managing director for (ISC)2 in Europe.
In one such small group in 2003, Barclays Bank shared information about the first phishing attack in the UK, and when it happened to Natwest two weeks later, they were prepared, he said.
Colley sees this as a key to moving forward, but he believes it is up to individuals to make contacts and build trust to ensure they are tapped into the information they need.
“In my experience, the IT security community is very open and supportive and willing to share with trusted contact, but people need to make the effort to engage with them,” he said.
(ISC)2 allows members to set their own chapters, for example, and these provide an opportunity to network, grow contacts and build trust relationships, said Colley.
This can also be achieved through membership of larger communities such as the Information Security Forum (ISF).
While sharing information security information remains challenging, many within the industry believe it is essential for maintaining an equal footing with adversaries.
As national and regional authorities push ahead in pioneering mechanisms, Colley points out that building the all-important ingredient of trust comes down to the individual.