One of the key lessons of 2015 was that cybersecurity is more important than ever – a lesson that Sony and the Office of Personnel Management learned the hard way. In the wake of these hacks, information sharing has become a very popular way for private companies and the government to tangibly demonstrate their commitment to good cybersecurity.
In February 2015, President Obama signed an executive order meant to encourage sharing of cybersecurity threat information. This executive order urged businesses to create Information Sharing and Analysis Organizations (ISAOs), and placed the onus on the Department of Homeland Security to act as the point of contact between the ISAOs and the government. The point of the ISAOs is to serve as central hubs for gathering and distributing information.
While the executive order was viewed as a good step, many industries had already created organizations for the express purpose of sharing information. These Information Sharing and Analysis Centers (ISACs) exist for a variety of industries – from information technology, to health services to aviation. This movement towards greater information sharing reached a peak with the passage of the Cybersecurity Information Sharing Act (CISA) in December 2015. CISA allows companies to voluntarily share information with the government about cyber-threats, although its passage was not without controversy.
How then, is information sharing supposed to actually improve security? The underlying premise behind information sharing is the fact that hackers tend to use the same methods and programs against multiple targets. For example, they will write up a phishing email, attach a malware-infected document, and send it to hundreds or thousands of people. Even though most people won’t open it, the few that do give them the access they need to accomplish whatever their goal is. This economy of scale approach is what makes cybercrime so profitable, and greatly increases the odds of network breaches for cyber-espionage purposes. However, if the first victim of that phishing email was able to tell all other potential targets to avoid that message, then the entire approach would fail. That is the core mechanic of information sharing: by spreading the word about how hackers are attacking, everyone in the community can proactively protect themselves – and net security increases across the board.
That being said, this idealized version of the information sharing process tends to encounter some serious problems when put into practice. To begin with, improved security is not always enough of an incentive for businesses to share information with each other. Information sharing efforts are usually industry specific, and so they amount to working with competitors in a way that some businesses believe will hurt them more than any given hack could. Beyond that, information sharing between businesses and the government are often complicated by the difficult process that government agencies must go through to share information with private entities. As a result, many businesses view “information sharing” with the government as being a one-way street, with no reciprocation for them. Finally, there are serious concerns about privacy. The passage of the CISA legislation was so difficult due to concerns from privacy advocates that the information being shared with the government was not sufficiently anonymized. The fear was that information sharing, in this context, was de facto mass surveillance - and therefore violated the civil liberties of the American people. Although CISA is now law and ISACs have been established in many industries, these barriers still represent a significant problem for information sharing efforts overall.
As the cyber-threat continues to change and evolve, both the government and the private sector will need to develop new ways of countering both threat and criminal actors. While the full extent of its possible impact should not be over-estimated, information sharing could become one of the more effective adaptations geared at improving cybersecurity in the United States. The final result of these efforts will depend heavily upon how current initiatives are executed, but the potential is there – and the next couple of years will demonstrate whether or not information can yield a net benefit for both businesses and the U.S. government.
Luke Penn-Hall is the Cyber and Technology Producer for The Cipher Brief.
