Information sharing still a heavy lift

Cooperation on sharing cyber threat information between the public and private sector is essential, government officials at this week’s Cambridge Cyber Summit said. But they admit there are good reasons for mistrust on the private side

Everybody shares stuff, man.

That line, from ‘70s stoner comics Cheech and Chong, was about sharing joints, of course.

But today it is about information, and the message from top-level government financial and intelligence officials is that everybody needs to do more of it.

At the Cambridge Cyber Summit this week, held at MIT’s Kresge Auditorium and sponsored by MIT, The Aspen Institute and CNBC, several of them stressed that effectively countering the level and sophistication of cyber threats to the nation’s financial, economic and political system is going to require more sharing between the public and private sectors.

“Collaboration” and “cooperation” were mentioned frequently.

This is nothing new in the online security world. It has been discussed at IT conferences for well over a decade. It has been a goal of government for that long as well, and Congress, after a number of failed attempts, passed the Cyber Information Sharing Act (CISA) late last year.

[ MORE FROM THE CYBER SUMMIT: Security vs. privacy: The endless fiery debate continues ]

Still, stubborn resistance remains among many in the private sector.

Government officials at the event, ranging from Admiral Michael S. Rogers, commander of US Cyber Command and director of the National Security Agency (NSA), to FBI Deputy Director Andrew McCabe, Deputy Secretary of the Treasury, Sarah Bloom Raskin and John Carlin, assistant attorney general for national security, acknowledged that there is mistrust of government in both the general public and private industry, thanks in part to multiple revelations of government surveillance, ranging from former NSA contractor Edward Snowden to this week’s report about Yahoo allegedly allowing government screening of its email traffic.

But they say both the private and public sectors would benefit, at all levels of society, from increased information sharing.

Raskin said her department, “encourages a lot of sharing of information. We would like institutions to feel that they can benefit just as much from receiving information as giving information.”

She added a failure of security in the banking system would lead to a different breakdown of trust – trust from depositors that their assets are safe.

“Potential exploitation has the effect of undermining trust,” she said. “Our ultimate objective should be to reinforce the public's trust in the resiliency of the financial product, service, or institution.”

McCabe, interviewed by Walter Isaacson, president and CEO of Aspen, admitted there is resistance “throughout the private sector” to allowing the FBI to monitor their systems in real time, even though he said that would let the agency notify an organization much sooner in the event of an attack.

Besides the obvious privacy implications, he said, “they feel it impacts their reputation and their position in the community. Nobody likes to say, ‘Hey, we've been hit.’”

But he said the FBI does share threat information regularly. “We provide notifications to private sector entities all the time, we certainly coordinate immediately and directly with the affected entity and assist them and DHS (Department of Homeland Security) in doing whatever is necessary to repel that attack.

“The problem is, you don't see everything,” he said. “The more information we are able to share with the private sector, the academic sector, the better our detection ability becomes.

“We've got to get to that point where folks are comfortable sharing information and ultimately providing access if we expect the FBI and DHS and our Secret Service and our other partners in government to be able to be more proactive in the way we address the threats,” he said.

However, there remains within private industry a strong belief that government is much more interested in collecting data from the private sector than in sharing what it has. Justin Harvey, CSO of Fidelis Cybersecurity, was one of a number of security experts who said in January, after CISA’s passage that he believed it was, “meant to be a surveillance bill from the start,” and lacked adequate privacy protections.

Government speakers at the summit insisted they are committed to sharing.

On a panel titled, “National Security: Hacking Democracy,” Arizona Secretary of State Michele Reagan spoke of her state’s election systems being hacked, allegedly by Russia, and said it will take a serious effort of public education by government to maintain the public’s confidence in the results of the coming election.

“It’s made people think twice about registering to vote,” she said. “We know things get shaken when people are afraid.”

[ ELECTION HACKING: Read CSO's series of stories on the possibility of the vote being hacked ]

The bottom line, most agreed, is that increasing private sector information sharing will be a heavy lift.

“A lack of trust with the FBI specifically is not the only driver,” McCabe said. Another is that private entities don’t want it known that they were hacked. “There's obvious economic repercussions. There's shareholder value issues. So it's a complicated mixture,” he said.

Isaacson asked if it would help to have a law that banned, “derivative shareholder lawsuits if somebody discloses in real time that they've been hacked?”

McCabe said he has nothing to do with filing or passing legislation. But he agreed that it would help. “More information is better for us. That's our chance of getting out in front of this threat.”

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)