Threat actors with different motivations are allying in ways they haven’t before, making it all the more urgent for organizations and governments to step up their information sharing.
In some instances, the skill level required for hacking has fallen. Ransomware and DDoS attacks, for instance, are offered as services. Threat actors don’t need a skillset, just a willingness to split what they receive. And various hacking groups are well organized, not only by sector, but also by specialty, like financial-related or intellectual property theft, or theft from commercial entities and consumers. These groups are very good at sharing information among themselves.
By contrast, most corporate entities still struggle with information sharing, though there are exceptions and there is an increased willingness to share. But to do so, you often have to work through your legal and corporate departments to establish ground rules on how information-sharing with other companies should work. Unlike criminal organizations, who can share anything, we’re bound by having to share the right level of information. While you want to work with your peers, they probably are also competitors.
CISOs need to actively engage with their legal departments on this, whether or not there is already an information-sharing threat group already in their sector. You want to be an active contributor because things are only really successful if everybody’s actively participating.
Once organizations get better at information sharing, then the question is, how do you act on it. An organization has to have a certain level of cybersecurity maturity to be able to action that threat intelligence, and that involves some degree of automation. Threat intelligence is great, but the only way to operationalize it because it comes in at such a volume is through automation.
Over the past few years, the government has been more active in getting organizations to share information through public-private partnerships. The City of New York, for example, launched a Cyber Command in 2017 to share information and collaborate in real time to prevent or respond to a cyber attack.
Many organizations share a similar concern over when to reach out to law enforcement, and what information to share. Most government organizations have been getting better about allaying that fear by treating organizations that reach out for help as victims, rather than notifying regulators and getting them into trouble.
The government is also trying to figure out how to get these programs more broadly known, something that will reduce the concerns organizations might have about involving law enforcement. A lot of times these programs are only visible to the CISO, but it’s better if the CEO and the board also know how to work with government agencies and what information the agencies can share back. If there’s an interest from the CEO and the board, then things tend to be done a lot faster. What’s more, small or medium-sized businesses might not have a security team, so they should be made aware that these resources are out there and available to them.
To be most effective, information-sharing needs to be a two-way street, and government agencies are not always great about sharing information back with organizations. And if the government only sparingly shares its information with organizations, then that diminishes the value to the organization of reporting these things. The goal of a business is to be back up and functioning. There has to be better value delivered.
Government agencies, therefore, need to figure out what they’re allowed to share. There’s also the matter of who within the organization to share it to, because the designated point person will have to undergo clearance, an intrusive process that takes time and money.
Information sharing also takes place among governments, but what can be shared differs from country to country. What’s more, after you share the information, there’s the question of how it’s actioned. Not all governments will act on the information they receive in the same way. For instance, will the organizations who report be treated as victims rather than transgressors?
There is a willingness for governments to share information, but like anything else, it’s complicated by trying to figure out the rules of engagement.
Across the board, challenges in information-sharing persist. But we’re getting better at doing it, and as threat actors grow more sophisticated and attack surfaces expand, we’re going to see it playing an ever more important role.