Information Sharing Versus Light Speed, Actionable Threat Intelligence InsightsTerry Roberts
Information Sharing Versus Light Speed, Actionable Threat Intelligence Insights:
So one of my "pet peeves" for almost a decade has been the continuous drum beat around the need to share technical insights regarding cyber threat signatures abnormalities, 19, actors and events across government, across industry sectors, and across government and industry - but not at speed and not at scale and not always actionable. Almost as if this were something completely new - unrelated to threat intelligence in other areas like law enforcement and national security. That somehow if it has to do with the INTERNET or IT or cyber defense - it is a completely new arena unrelated to all others.
The fact remains this is all about online crime, fraud, espionage and disruption to our businesses, our government, our schools, our organizations and our society as a whole. When are we standing up as a community and saying we are not going to take it anymore!! And Unite! With Purpose! With Passion! And Efficacy!
Not to imply in anyway this is easy…
Partnering across the Private and Public Sectors has always been challenging.
"Like" Businesses are naturally competitive.
Unlike Businesses do not relate to each other unless there is a common cause or locality.
Government organizations are stove-piped within their own lexicons, communication's channels and cultures.
Government has secret sources and methods they need to protect and will only share insights with Industry if those sources and methods can be protected and leveraged into the future.
Industry owes their allegiance to their owners, BOD's, Stockholders and customers - not to the Government - thereby focusing on protecting their reputation and revenue at almost all cost.
So where to begin?
Start with our common online enemy (the criminal hacker groups and individuals), a common purpose and a vehicle that is smart, effective, scalable and repeatable - operating at the speed of technology. And don't focus only on "information sharing" - deliver when feasible your insights, ensuring you're sharing vetted, analyzed and actionable cyber threat intelligence. Then you will truly make a difference and enable us to get ahead of the "bad cyber actors."
As a result of all of the above - I am convinced this is not a government to industry or an industry-to-industry approach that is the optimal solution. For years I have promoted the implementation of a trusted, third party, non-profit entity with deep cyber credentials and a cyber track record that is equally trusted and respected by Government and Industry alike. Only in this way is the "sharing" worked by an expert with the benefit of all in the forefront, allowing it to scale over time.
So do these entities exist? Yes they do and they are simply waiting to be leveraged and fully employed. Places like MIT/LL, CMU/SEI/CERT, MITRE, Sandia Labs, Hopkins APL and others. They have performed similar functions for years and some for decades - but they have never been fully employed because of government's and industry's desire to control the sharing mechanism - even though current efforts are failing to keep up and failing to reach the next level of maturation and impact.
Currently we are not stemming the cyber crime tide across all sectors. It is time to pilot new approaches like that of the Cyber Threat Alliance and a next generation of the DIB Pilot - but using exceptional third party entities as the trusted hub.
What are we waiting for?