In preparation for sanctions against hackers from the Federal Security Service of the Russian Federation (FSB) and Russia’s main intelligence agency known as the GRU, the Obama administration released information that it alleged showed the responsibility for the “highest levels” of the Russian government for hacking into servers of the Democratic National Committee (DNC) and email of John Podesta, and using this information to try to sway the U.S. electorate.
Let’s put aside whether any of this is true. What’s extraordinary is that the US intelligence agencies decided to publicly share raw intelligence about the motives, methodology, attribution, and intentions of a cyber-adversary. This raw intelligence could then be absorbed by the information security community, the strength of the attribution challenged (or accepted), and the nature of the threat (and threat actor) evaluated and responded to.
Problem is that this is extraordinary. As in not ordinary. And it should be very ordinary.
Fundamentally that’s one of the big problems with so-called “information sharing” – particularly public-private information sharing. You see, governments collect threat information in a wide variety of ways for a wide variety of reasons.
Much of this information is highly sensitive – it could reveal our own intelligence capabilities (and their limitations), our sources, our methods, what we know and what we don’t know. Moreover, if the CIA, NSA, DIA, or Cybercommand finds a previously undetected Indicator of Compromise (IOC) or exploit, they may want to keep it secret to exploit it, keep it secret to allow an adversary to attempt to exploit it, or keep it secret in order that other adversaries not exploit it.
Notice a pattern here? For the most part, for government agencies, particularly law enforcement, military, or intelligence agencies, it’s in their interests NOT to reveal the lurid details of hacks, exploits, or true threat intelligence. These are their closely guarded secrets.
But this is precisely the kind of information that the infosec community – including the DHS community – desperately needs to protect itself. Pure, raw intelligence that it can determine whether it is worthwhile. While the intelligence community is more than happy to accept threats or incident or vulnerability information from any source, there is a sense in the information security community that they are parsimonious about what they are willing to share.
What happened with respect to the Russian hack should not be an isolated event. That kind of information should be shared constantly — and whenever possible, publicly. The more eyes – and the more critical eyes – looking at a problem, the more likely there will be a solution.