Silicon Valley wary of U.S. push for cyber security info sharing

The Obama administration negotiated an historic nuclear deal with Iran and reached an agreement to normalize relations with Cuba. Now comes the hard part – winning over Silicon Valley when it comes to sharing cyber security information.
n the wake so many well-publicized security breaches in both the private and public sectors, the U.S. government is stepping up its efforts to build bridges with the tech community. In April, at the annual RSA Conference in San Francisco, the U.S. Department of Homeland Security announced it was finalizing plans to open a satellite office in Silicon Valley to “strengthen critical relationships in Silicon Valley and ensure that the government and the private sector benefit from each other’s research and development.” That same month, the House of Representatives passed the Protecting Cyber Networks Act, part of an effort by Congress to promote information sharing relative to cyber security threats. So, what’s the reaction in the tech world? Many tech execs interviewed for this story say it’s a good idea in theory – but that privacy and legal concerns could be a deal breaker. “The reality is attackers are breaching organizations with the same techniques over and over again,” says Haiyan Song, senior vice president of security markets at Splunk, a provider of software platforms for real-time operational intelligence. “To help address this challenge, we need to improve information sharing within the private sector and between the private sector and the government.” Historically, this has been done through independent cyber security reports that reveal holes and areas of susceptibility, Song says. “However, reports alone are far too passive of an approach, since companies fail to take immediate and rectifying steps. We must make this information actionable, integrating apps that score companies on their security readiness, and also alerting us of areas that are most vulnerable.” There have been attempts to bridge the divide between the public and private sector when it comes to information security, adds Amrit Williams, CTO of CloudPassage, a cloud security platform provider. “But now more than ever it is critical that we work together to make these efforts successful,” he says. “Timely, 360-degree coordination and tracking of security incidents across the public and private sector will provide visibility into the state of the threat landscape and give information security professionals an important advantage over their adversaries,” Williams says. But public-private information sharing must allow for companies to remain anonymous and not struggle with the dilemma of doing the right thing for fear of damaging their public image, Williams says. “The U.S. government should accommodate the interests of the private sector in communicating security incidents anonymously and enable public and private sector actors to respond quickly to fast-emerging and newly discovered threats,” he says. “And security vendors can work to develop better anonymized threat information that can be shared with the broader community.” Threat intelligence and information sharing “are critical ingredients to improving the cyber security posture of both the private and public sectors,” says Ben Johnson, chief security strategist at security vendor Bit9 + Carbon Black. “It is clear from the volume, sophistication and diversity of the cyber attacks we are seeing that the ‘bad guys’ currently do a better job of sharing information, or selling it to each other, than the ‘good guys.’” But in sharing threat information, the government and public companies need to be vigilant about protecting users’ privacy, Johnson notes. “Cyber data and threat intelligence often contain personally identifiable information,” he says. “Any program dedicated to sharing information must put privacy at the top of their priority list. Information should be anonymized when technically possible, and delivered only to verified members.” Private companies are often loath to involve the government when it comes to cyber incidents, because of the fear of legal liability, Johnson adds. “There is no easy answer here, especially when discussing the government,” he says. “But there must be at least some basic levels of legal protection for the members if they are to be comfortable sharing information.” Many tech executives maintain that security information sharing to date has been mostly going in one direction—from private sector to public—and that the government has to do a better job of providing useful threat intelligence to companies. “Anything that assists with increasing security efficiency is a worthwhile effort, and info sharing could be one of those activities,” says Scott Montgomery, vice president and chief technology strategist at Intel’s security division. “However, this has to be a two-way street in order to be as effective as it can be, something that hasn’t happened to this point,” Montgomery says. “For instance, the Iranian breach of U.S. Navy networks in mid-2013 demonstrated an issue with database servers that hundreds of companies may have been facing. However, even though the target databases were on the unclassified network, the Navy immediately classified the forensic effort and all of the results.” While this is more common on the Department of Defense and intelligence community side, Montgomery says, DHS must do a better job sharing information. “If companies could [be sure] that they would gain valuable information as well as share what they had, they’d likely be more inclined to share,” he says. The big secret we keep inside those facilities is that the government’s information is of little value to civilian industry. Jeff Schilling, CSO of cloud hosting company FireHost “From my background of working inside a top secret facility run by the intel community in [the Department of Defense], I think the big secret we keep inside those facilities is that the government’s information is of little value to civilian industry,” says Jeff Schilling, CSO of cloud hosting company FireHost, and former director of the U.S. Army’s global Security Operations Center under U.S. Army Cyber Command. “The threat indicators the government aggregates to share with civilian industry through the FBI and [Department of Homeland Security] are usually old and is a small subset of what creditable security companies are collecting and selling to civilian industry,” Schilling says. The intelligence community is more interested in “getting industry data to provide them context to what they are collecting through classified programs and collection methods, which explains why most sharing between government and industry seems to be one way,” Schilling says. The government does have unique access to rich threat intelligence collected through classified operations, Schilling says, “but that data set is very small and its time of value very short because they are tracking the most sophisticated actors, who regularly change their trade craft, methods and infrastructure. In most cases, it is impossible for government to share this data without disclosing the classified collection methods.” The government collects intelligence through many different types of intelligence gathering capabilities, Schilling adds, and has the ability to pull together more context than Industry threat intelligence researchers can accomplish. “For example, the government can geo locate a threat actor not only by tracking his computer network activity, but can overlay other foreign signal intelligence like phone intercepts to triangulate additional intelligence context,” Schilling says. He would like to see the government provide more context on attribution, motive, targets and what intruders are after. “This information exists, so it would allow civilian industry security professionals to focus their security programs on their most important data,” he says. In reality, more sharing is happening currently than is being reported, especially in the defense and critical infrastructure sectors, says Dan Lohrmann, CSO and chief strategist at Security Mentor, a provider of security training, and former chief information security officer for the state of Michigan. “Better sharing is absolutely needed with a two-way flow being essential to provide cyber defense in the future,” Lohrmann says. “It is simply impossible to be ‘an island’ and stop the growing number and sophistication of cyber attacks without ongoing public/private partnerships and data sharing." How can the two sides get past the obvious mistrust involved? “It starts by developing relationships between two people,” Lohrmann says. “People, process and technology change is involved, but 90% of the trust issues are around people. In Michigan, the state government set up “Kitchen Cabinet” organizations for both the CIO and CISO to exchange data between public and private organizational leaders. “These monthly meetings helped to build trust and relationships,” Lohrmann says. “It takes time and money to build these relationships and processes. Nevertheless, the benefits far outweigh the costs.” Other technology executives, while applauding collaboration efforts, emphasize that they need to focus on the right areas. "What about the threats that are not seen or missed despite a broader program of collaboration between the private sector and government?” says Tsion Gonen, vice president of strategy for identity and data protection at security technology provider Gemalto. The government efforts at collaboration “are not 100% foolproof because they only address the data breach epidemic from one perspective: keeping the bad guys out,” Gonen says. “The problem is, they are already getting in and companies can’t keep them out, no matter how big a wall they build.” Rather than relying just on breach prevention, information sharing and breach notification laws, companies and government agencies also need to focus on how to protect data once the hackers get past perimeter defenses, Gonen says. “Companies and maybe government should be asking, ‘what is the Plan B when Plan A fails?’” he says. And some executives are skeptical of the whole concept. “If this program is going to be remotely successful, then two things need to happen: a clear definition of actionable intelligence for this program and action from the federal government based on these insights,” says Joan Pepin, CISO/vice president of security at Sumo Logic, a provider of a cloud-based machine data analytics platform. “For example, say I’m the CISO at a large enterprise company and I share that there was a genuine breach at my company,” Pepin says. “I have a bunch of potentially actionable intelligence, samples of malware and logs with specific signatures. If that’s what this program is looking for, then I’ll share an incident report with the government and put my private information and intellectual property out there. Are the feds going to treat this as a crime? Or are they just going to circulate this info amongst my competitors?” But the majority of technology companies interviewed for this article are open to the idea of private-public sector collaboration. And companies that have already been involved in security information sharing efforts say there are clear benefits. For example, security startup AlienVault in 2012 launched Open Threat Exchange, an open, crowdsourced threat information sharing and analysis network that has 26,000 contributors from 140 countries sharing about 1 million threat indicators each day. “These initiatives frequently invite and involve state and local government agencies, and back-channel communication between private research teams and government organizations is often an elemental piece to investigating critical threats such as the Anthem attack and the breach on Target,” says Barmak Meftah, president and CEO of AlienVault. “Within the private sector, the increased adoption of open standards like STIX [Structured Threat Information eXpression] has come part and parcel with a desire to improve and expand collaboration between all parts of the security industry,” Meftah says. “Collaboration and sharing helps both the public and private sector meet the data challenge by allowing both sides of the market to work together to amass and review all of their various findings from unique sources and perspectives.” If an information sharing program is to be effective and efficient, it has to be easy to use; Johnson says. “This is where technology can help,” he says. “It should be easy for companies to both share and receive intelligence without jumping through 10 lawyers, five forms and three different government organizations,” he says. “In the end, it’s important to keep focus on the goal,” Johnson says. “The point is not to share information for the sake of sharing or to collect information for the sake of building massive databases. The point is to provide an early warning system with actionable intelligence that companies can use to better detect, respond and protect against real-world cyber attacks. The intelligence provided must be relevant, specific, and timely.” This story, "Silicon Valley wary of U.S. push for cyber security info sharing" was originally published by Network World.