Connecting state and local government leaders
Despite a consensus that information sharing is critical to cybersecurity, organizations still hold onto their information, allowing serious threats to flourish for years after they become known.
Comfoo, a Chinese Trojan that was used in the breach of RSA back in 2010, dates back at least to 2006 and remains in wide use more than three years after it was exposed, according to research by the Dell SecureWorks Counter Threat Unit.
Why has Comfoo been successful for so long?
“Not enough people are sharing information,” said Joe Stewart, CTU’s director of malware research. Because people hold onto threat data, rather than share it, malware owners are able to use the same tools for years.
Stewart and his partner, senior security researcher Don Jackson, suspect that the federal government probably already knew much of what it has spent the last two years finding out about the threat landscape, but because the information was classified the research had to be duplicated in the private sector.
It’s not that the government doesn’t want to help, Stewart said. “The government people I’m talking to say they are trying to get to the point that they can share the information, but they aren’t there yet.”
“There have been discussions” with government officials about Comfoo “that have gone nowhere fast,” because of the classified information involved, Jackson said. “If we had known the same thing they knew, a lot less damage could have been done.”
Some threat information is being shared, of course. There are industry sector Information Sharing and Analysis Centers — ISACs — that allow companies to come together and assess risks, with some government participation. And there are industry working groups targeting specific challenges. But the success of these efforts so far have been limited, said Kathleen M. Moriarty, global lead security architect at EMC Corp., the parent company of RSA.
“Organizations today rely on information-sharing processes that are so manually intensive, duplicative and inefficient that they cannot scale to meet critical computer network defense requirements,” she writes in a paper on threat intelligence sharing.
The problem with most of these efforts is not a lack of information being made available, but how to make it useful, she said -- deciding “what to share with who.” Merely sharing is not enough. Threat information needs to actionable and able to be used in automated responses. “You have to have a business problem you are going to solve,” she said.
She cited examples of how sharing can be effective, among them the efforts of the Messaging, Malware, Mobile Anti-Abuse Working Group, a collaborative effort of large email service providers and the Anti-Phishing Working Group. By providing clearinghouses for actionable data they help their industries and allow security vendors to take advantage of that information for their products.
But these models presuppose formal sharing already in place, which is not always the case. A lot of threat sharing is informal, back-channel and bottom-up, especially with government.
“I think all governments are interested in helping,” Moriarty said. But there are barriers of trust, policy and law.
And turf. “Turf battles are nothing new in government,” Mark Weatherford, former Homeland Security Department cybersecurity official now with the Chertoff Group, said in a recent Black Hat panel discussion. “In Washington, power is everything, and information is power.”
There are efforts to break these barriers, such as DOD’s Defense Industrial Base (DIB) program to share classified information with contractors. “The DIB pilot worked well, except that the information is classified,” which limits how it can be shared or used, said retired Adm. William Fallon, former commander of the U.S. Central Command.
Participants in the Black Hat discussion agreed on two things: Information sharing is improving, but the remaining challenges put defenders at a disadvantage when going up against the offense. Secondly, they all concurred with an audience member’s assertion that “pain and humiliation is a great motivator.”
It is likely to take a cyber disaster to effectively change the information sharing landscape.