The theory behind cybersecurity information sharing is clear and uncontroversial, even if the details of what to share, how best to do it and who to share with may sometimes result in debate and disagreement. The theory goes that organizations are better off sharing information and improving situational awareness than trying to recognize and face cyber threats and challenges on their own. Some collective and coordinated efforts can help to identify, learn about and fend off threats and would-be attackers—as compared to acting individually with less information and situational awareness. That is also a reason why armies gather intelligence, where feasible, before going to battle.
Sharing information about cyber threats, incidents and vulnerabilities has some similarities to the concepts of a “neighborhood watch.” For both, the idea is to observe, gather and share information—including about the tactics, techniques and procedures (TTPs) of attackers—to enable targets to recognize threats and defend better, reducing the likelihood that those attacks and attackers will succeed. In economic terms, we are seeking in part to raise the costs to attackers by using information sharing to shorten the time and narrow the instances in which their tools can be re-used profitably—as potential victims could develop defense tactics more quickly. To succeed as often, attackers would have to invest more in new or modified tools, or choose different targets—making it more expensive for them to generate each dollar in nefarious returns.
We also seek to lower the cost of defense by helping defenders know what to look for and prioritize, and how to defend against those threats effectively. While it is no silver bullet, cybersecurity information sharing has long been thought of as a way for defenders to improve their position. Information sharing has been endorsed by the nation’s leading policymakers including, most notably, by the White House in executive orders from 2015 and Congress in the Cybersecurity Information Sharing Act of 2015 (at Division N, Title I).
Information sharing, however, comes with costs and risks. Organizations might be concerned about reputational damage from revealing the particular attacks they experienced, especially if the attacks were neither avoided nor defended as well as the firm would have wished. This is one reason that trust is recognized as an important element of information sharing. Those who share information may not want their identity to be revealed at all, or may allow it to be revealed only to a restricted audience. Organizations also may prefer that attackers are not easily able to learn who was the source of particular information.
Sometimes entities attempt, if information sharing rules allow, to be “free riders,” in the sense of receiving information but providing little information in return. It also may be costly not only to share information, but to turn received information into effective action. To do it well, and analyze the information that is received effectively and put it to work in close to real-time, may necessitate costly investment in a platform, technology and staff. For C-Suite executives who are not cybersecurity experts, the costs and risks sometimes seem easier to understand and more concrete than the benefits to the organization of sharing.
Read the full piece at Lawfare Blog.