Cyber threat data: Why everyone needs access
In this brave new digital age, information on the latest cyber threats can be thought of as a form of “currency,” and an increasingly valuable one at that. Cyber threat data exists in many forms and from many sources — yet by and large, access to it remains inaccessible or inconsumable to most. Access is scarce and rationed, which reduces our ability to deal with the challenges in the cyber world coherently and fully.
The marketplace for cyber threat data spans the public, private, and non-profit sectors. Here’s the current state of play: most industries have what are called “information sharing and analysis centers,” or ISACs. An ISAC is usually a non-profit organization committed to fostering shared awareness of cyber threats within a particular industry – such as financial services, healthcare, or public utilities. ISACs generate their own “currency” by deploying networks of threat detection sensors across their industry, and then selling the collected data in the form of membership dues and other cybersecurity services. Included in the membership is access to the ISAC’s proprietary cyber threat data. Access is usually restricted to paying members and classification protocols limit widespread dissemination to protect the confidentiality of sources. Limiting access and dissemination, of course, bolsters each ISAC’s currency and counters deflation.
{mosads}ISACs also offer their paying members a virtual venue for intra-industry collaboration, one that largely evades the eyes of the federal government and other industry verticals. Success stories for this construct often involve detecting / responding to cyber-attacks confined to a single industry, such as the denial of service campaign that plagued most U.S. banks from 2012-2013. Good, but very limited.
Unfortunately, most cyber threats are not exclusive to a single industry, so in the end, these information sharing silos hinder truly broad shared situational awareness. And by limiting membership to a single industry, companies are sometimes reluctant to share information with the ISAC if it might advantage an industry competitor. While not necessarily cost prohibitive, an ISAC’s membership fees can deter smaller businesses from joining.
In addition to non-profit ISACs, for-profit corporations also obtain and sell cyber threat data in the marketplace. For example, the few Internet Service Providers that transport most domestic online traffic benefit from keen awareness of America’s cyber threat landscape. These insights yield increasingly valuable data for companies to mitigate their growing cyber risks.
Cybersecurity firms that specialize in threat detection also transact this data in the marketplace. Demand for cyber threat information is so high that a group of competing cybersecurity firms recently pooled their resources to form the Cyber Threat Alliance, a non-profit consortium designed to increase the market’s overall supply of threat data “currency.” Membership requirements include the ability to provide the Alliance “at least fifty samples of new mobile malware per day…”
Finally, there’s the federal government, which deals mostly in classified cyber threat “currency.” The federal government’s sensitive sources and methods used to collect cyber threat data usually preclude real-time information sharing with the private sector. Unless the data rises to a threshold demanding immediate de-classification, it is often stale by the time it reaches the end-user’s inbox. But unlike most non-profit and for-profit participants in this marketplace, the public sector seeks to trade its data in exchange for the private sector’s cyber threat data. In other words, instead of a data for dollar transaction, it’s a data for data deal.
To be clear, the non-profit and for-profit players should be applauded for applying free market principles to solve a problem that has long plagued the public sector. Information sharing exists today in large part because of non-governmental innovations. And as long as demand exists for proprietarily-sourced cyber threat information, the marketplace for trading threat data for dollars will only prosper as digital attacks persist.
But America’s cybersecurity strategy cannot hinge on the patriotic or altruistic motivations of non-governmental institutions. Government must consider all constituencies, including those that are unable or unwilling to trade dollars for data to protect their business, government, or family from today’s cyber threats. For these Americans, government has a responsibility to inject a baseline amount of “currency” into the marketplace to balance against an otherwise regressive domestic cybersecurity regime.
Last month, President Obama signed an Executive Order aimed at promoting private sector cybersecurity collaboration. The directive “encouraged” the formation of so-called “information sharing and analysis organizations” without explicitly defining the composition or role of these “ISAOs.” The Department of Homeland Security is now hosting public meetings to establish exactly what the President’s order authorized.
The policy prescription is not a modified acronym, but rather a more accessible marketplace for cyber threat information, and the institutions and infrastructure to deliver the currency across the public and private sectors. There are several things we should do:
First, we need to achieve scale and horizontal integration in the marketplace by organizing information sharing vehicles along broad geographic lines, not just by industry or sector. Clusters of state and local “cyber threat information exchanges” should combine to form a non-hierarchical marketplace that spans, not divides, industries and sectors. The Department of Homeland Security should set the strategy, and states should execute it.
Second, membership in these state and local exchanges should be free. The most vulnerable among us are also the most uninformed. Government has a responsibility for providing certain cybersecurity services to protect its citizens, starting with access to real-time and relevant cyber threat data. Those that voluntarily trade their “currency” in the marketplace should receive access to everyone else’s cyber threat information in return.
Third, if we are to establish a flatter marketplace for cross-sector collaboration on cyber threats, government must create the conditions that encourages all parties to engage without fear or risk of reprisal or litigation. We need the equivalent of a Consumer Protection Act for those that willingly contribute to the marketplace.
Today’s competitive marketplace for cyber threat information keeps the most vulnerable among us at the highest risk – it is essentially a “regressive” system in economic terms. Perhaps more importantly, it limits our ability to respond broadly across industry lines. It’s time for government to be involved in sensible, coherent, and broad ways at the local, state, and national levels. The non-profit and private sectors have done their part – now it’s government’s turn.
Stavridis is dean of The Fletcher School of Law and Diplomacy at Tufts University, where he is focused on cybersecurity. He served as the 16th Supreme Allied Commander at NATO from 2009-2013.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..