Cybersecurity and Cyberwar (38 page)
Read Cybersecurity and Cyberwar Online
Authors: Peter W. Singer Allan Friedman,Allan Friedman
That is, the booming cybersecurity field may be realigning incentives for how vulnerabilities are bought and sold in a direction that is harmful to wider cybersecurity. Some security services firms want the advantage of being able to protect their customers against undisclosed vulnerabilities that they alone know about, while others are more like cyber arms brokers, buying up and then selling these zero days for use in offensive cyber weapons designs. Here again, just like in any other marketplace that starts to move from
white- to black-market activity, be it drugs or cyber vulnerabilities, the government has to stay aware and be prepared to police it when any actions become socially destructive.
The market can be a powerful force for cybersecurity when it functions properly. An economic perspective also acknowledges that some attacks are not worth defending against if the price of defense is greater than the direct and indirect cost of the attack. This links us to the next important issue in crafting better responses on cybersecurity: information sharing and accountability mechanisms. They are what support such key cost-versus-benefit calculations and ultimately are what steer the incentives toward security.
“It's always more fun”
In preschools and kindergartens across the United States, young children sing “The Sharing Song” to learn the importance of giving up something that you have in order to help someone else. Unfortunately, the lessons of cooperation and sharing aren't taken to heart by many key players in the world of cybersecurity.
One of the best illustrations of the sharing problem comes from the world of banking. Banks often hire firms to detect and remove phishing websites for their brand. The faster the spoofed financial websites are removed, the fewer the number of users who can be duped into surrendering their credentials and ultimately enabling fraud. However, one study compared the lists of websites detected for two different takedown companies and found something interesting: each had discovered websites for the other's clients but had no incentive to remove them. Had the firms shared, they could have saved their collective clientele an
estimated $330 million
.
Competition can create a market for cybersecurity, but security decisions depend on good information. Sharing this information greatly expands all parties' knowledge, situational awareness, and preparedness for cybersecurity. As the White House's 2009
Cyberspace Policy Review explained
, “Information is key to preventing, detecting, and responding to cyber incidents. Network
hardware and software providers, network operators, data owners, security service providers, and in some cases, law enforcement or intelligence organizations may each have information that can contribute to the detection and understanding of sophisticated intrusions or attacks. A full understanding and effective response may only be possible by bringing information from those various sources together for the benefit of all.”
The key benefit of information sharing is that it allows a more complete view of emerging threats and patterns, arming actors with the lessons learned from others' experiences. Attacks and their consequences are often not immediately obvious and require information from multiple sources to build an understanding of the new dangers and mitigations. Beyond empowering decision-makers with more data, successful information-sharing regimes benefit individual actors by supporting the diffusion of experience and best practices of each organization.
Information sharing comes in various different forms. Some cybersecurity information can be very technical, such as passing on to others the digital signature of a newly identified piece of malware. Alternatively, it can be more context-specific, such as a new approach to spear phishing that is targeting a certain type of executive in a specific industry. It can be preemptive, such as the specifications for how to fix a newly discovered vulnerability. Or it can be responsive, such as sharing the details on a successful security breach. Information can be time sensitive and needed for rapid decisions, or only useful when aggregated over time, such as a small part of a data set that will someday produce a breakthrough after combination and analysis.
The approach to sharing must be related to the data. Sharing requires us to ask “With whom?” and “How?” Sharing can be decentralized, with organizations working together, or it can be centralized, with the government collecting data from across the public and private sector, then redistributing actionable intelligence. Some technical data, such as that gathered automatically by computers, should be shared automatically with a wide audience to bolster defenses. Other types of data are very sensitive and require careful analysis before they can be used effectively. For example, data about a successful attack that is shared too widely or with too much specificity could unintentionally reveal sensitive information about the
victim. Alternatively, information about how an attempted attack was defeated could help an adversary adapt its tactics to win the next time around.
This connects the notion of sharing to that other value we learn as little kids, trust. The best defenses utilize a sharing regime based on trust and the human capacity to understand and act on the data. Antivirus companies, for example, have traditionally shared samples of newly detected malware but only
inside a trusted group
.
Unfortunately, this diversity of information types and sharing requirements has led to a fragmented approach so far in cybersecurity. There are a host of information-sharing organizations and models, each built around specific needs and demands. The need for a wide range of information-sharing solutions is particularly pronounced in the United States, whose large economy has little in the way of policy coordination for any issue, particularly those spanning industrial sectors. The largest established model of information sharing is the Information Sharing and Analysis Centers (ISACs). Created in 1998 by presidential directive, the ISACs are organized around specific sectors of the economy, such as financial services or healthcare, with each sector determining its organizational form and function.
While the initial directive was somewhat unique at the time in explicitly recognizing cyberthreats, the ISACs have had a mixed record of generating real impact. Most offer a digital library of relevant resources and help coordinate interested participants through mailing lists and events. Some have 24/7 operations centers or crisis management protocols. The Information Technology center (IT-ISAC) offers “secure Web portal, listservs, conference calls with member companies, and dedicated analysts that
provide analytical support
.” The IT-ISAC finds itself in an interesting position, since a great deal of the nation's cybersecurity information comes from its members. Executive Director Scott Algeier describes how market conditions have shaped its mission. “Private companies tend to disclose vulnerabilities to their customer base first before sharing information with outside entities.⦠So the new model is looking at ways we can facilitate information sharing by our members about what attacks they're seeing.” Jason Healey, director of the Cyber Statecraft Initiative, stresses the importance of this kind of sharing across the public-private boundary. One good approach is for industry and
government groups to have their own meetings first: “Then they gather together immediately and compare notes and learning.” There's also a social component. “Then they all go out and have dinner. It builds
trust and relationships
.”
Another model is built around buying power. As it saw cyberthreats building, the Department of Defense helped stimulate the creation of an information-sharing program inside its vast network of contractors and vendors. The network works in both directions of information sharing. The Pentagon would provide its Defense Industrial Base of corporate suppliers with both classified and unclassified threat information as well as security advice. “DIB participants, in turn, report cyber incidents for analysis, coordinate on mitigation strategies, and participate in cyber intrusion damage assessments if information about
DoD is compromised
.” The information itself is mostly kept anonymous, so that the companies can share it, without worrying that they are aiding their competitors.
There are also smaller organizations that support information sharing on a local scale. The FBI has organized Infragard, where each of its field offices reach out to local businesses and researchers to talk about cybersecurity issues. Some regional chapters are very active, with regular seminars and mailing lists; others are less so. There are also various regional organizations, such as the Boston area's Advanced Cyber Security Center, that serve as forums to bring together local tech companies and researchers. Member-funded but with an eye to federal grants, ACSC has bimonthly meetings with presentations from experts and developed a unique full-scale participation agreement to share sensitive cyber information while
maintaining confidentiality
.
The private sector has had its own successes in collaboration. Consortia of vendors and researchers have grown around specific topics, such as the Anti-Phishing Working Group. Standards organizations can serve as venues to standardize key aspects of security information. The Institute of Electrical and Electronics Engineer's Malware Working Group is focused on packed, or obfuscated, malware and standardizing how this
malware is studied and defeated
.
Notably, it is the attention and career benefits of presenting a new security finding at a major security conference that seems to
encourage much of the public sharing in these venues. This applies not just to individual researchers but to security companies themselves, who too often think holding information back gives them an edge against competitors. In 2013, the security company Mandiant took a very public role in publicizing its findings about Chinese infiltration into American corporate networks, with the
New York Times
nearly
quoting its reports
word for word. This information sharing had an enormous impact on global cybersecurity policy, but Mandiant also got something out of the bargain. Security blogger Adam Shostack has explained how such firms that go public are “really not giving the data away. They're trading it for
respect and credibility
.” Sharing of information doesn't just build their brand as a company but can also help educate the market about risks, fostering broader investment. Working with more customers can, in turn, generate more data for the firm to analyze.
Given all these different mechanisms for information sharing, is there enough? Many believe that there is not. The high-tech trade association TechAmerica has argued that “the inability to share information is one of the greatest challenges to collective efforts toward
improving our cybersecurity
.” Security consultant Erik Bataller insists that “the public and private sectors need to share more informationâmore parties must be included and new platforms used,” ideally to the point where we can have “real-time identification and response as threats occur.” This vision, shared by many, is that instead of the current series of loose coalitions built around types of information or industry sectors, with varied levels of energy and activity, there would emerge a more universal kind of sensor network that could work across cyberspace to detect and respond to threats.
It's a powerful concept, but there are some large obstacles. The main challenge is sharing between the private sector and the government. Without further legal protection, firms worry that information they share may be used as evidence by the government or in litigation that might come back to bite them. It might not even be on cybersecurity matters. One study, for instance, found that an energy company was unwilling to share information about its cybersecurity threat experiences because it worried that the data might somehow be used to damage the company in matters that had nothing to do with cybersecurity. That is, it cared less about the risks of power loss
to the mass populace than
pesky lawyers
from environmental rights groups also getting hold of any of its data.
Such fears severely reduce any incentive to share with the government. Industry groups have asked Congress to provide legal protection before they participate in widespread programs.
Paul Rosenzweig explains
that this /files/06/67/56/f066756/public/private mistrust is mutual: “Government institutions like the NSA ⦠with (perhaps) superior knowledge of threat signatures and new developments in the arsenal of cyber attackers are deeply reluctant to share their hard won knowledge with the private sector at the risk of compromising their own sources and methods.”
It is important to stress that sharing is not a panacea. While many cybersecurity breaches would be prevented or preempted, a number still would occur even in a world where companies and governments play perfectly nice. The key is to recognize that while sharing won't stop most “zero days,” it will prove critical in most “day afters.” The success of information sharing, though, is highly dependent on the context and parties involved. Even among the IT professionals responsible for securing organizations, most people will not be able to use most of the information that might be shared with them.
This is where policy becomes key. Organizational support to validate, then distribute, then enable data's use should be the primary goal of any information-sharing policy. Once it is understood how that goal can be achieved, limiting obstacles like liability protection or incentives can be tackled. Focusing on the process and then the barriers can help find innovative approaches to cooperation, finding ways to pass on important information even under unusual circumstances.
Here again, we see how recognizing the incentives and then reshaping them is so important. In the bank phishing takedown case, the competing firms could better serve their clients if they shared information, but holding back good security data was also to their competitive advantage. There was an alternative, a mechanism of sharing that preserved their interests. The
phishing takedown firms
could still compete by trying to detect websites, but a fee-based privacy-preserving protocol would have allowed them to pass on information without revealing any competitive information outside the exchange.
