As the complexities and sophistication of cybersecurity threats continue to evolve, the need for effective information sharing has never been greater. We all understand that the fight against the bad actors is not one that we can win on our own. The latest and greatest tool—whatever it is this week—is really just one piece of the complex puzzle that must be assembled to have a truly effective cybersecurity posture.
It’s imperative to take an approach based not on what you can do to prevent an attack, but on what you do when you know you've been attacked and what the extent of that attack was. In other words, assume you will be attacked and that the attack will be successful.
Why Disclosing Security Information is Important
Information sharing is not a new concept. In 1998, the Clinton Administration created Presidential Decision Directive-63 (PDD-63) in order to create Information Sharing and Analysis Centers (ISACs) around critical infrastructure such as nuclear power, energy, aviation, financial services, etc.
These organizations share critical cyber threat information between the government and private sector partners in these identified critical infrastructure areas. In 2015, under the Obama Administration, Executive Order 13691 was issued, directing the Department of Homeland Security to create Information Sharing and Analysis Organizations (ISAOs). ISAOs differ from ISACs in that they may be formed around industry segments, communities of interest and more. The goal for information sharing is to increase collaboration between government and private sector to enhance the cybersecurity resilience of everyone involved.
Fast forward to today and let’s take a look at the SolarWinds event that came to light at the end of 2020. I refer to this as an “event” because I believe calling it a hack or breach does not impart the true gravity of the event. As more information continues to come to light, almost daily, it is clear that this was a foreign intelligence gathering operation carried out exclusively in cyberspace. We still do not understand the motivation for the event but given its known targets in the federal government, academia, and private industry, it appears to be an extensive information gathering activity, the outcome of which may not be fully known for years.
This was not something that any one tool was going to prevent. The sophistication and level of patience and persistence is something we have not seen before. While it was an attack on the software supply chain, perpetrated in a manner not previously seen, emerging evidence may also suggest other avenues of penetration. The point is that technology alone was not going to stop this type of sophisticated activity.
However, what if one or more of the organizations involved felt comfortable coming forward and sharing anomalies that they were seeing on their networks? We don’t yet know how many victims may have seen concerning activity on their networks, but what we do know is that organizations across the world fear cyber-shaming.
I think of cyber-shaming as the negative outcome of letting a cybersecurity event be known in the public forum. Think about the reputational damage done to companies like Target and Equifax, government agencies like the Office of Personnel Management (OPM) and others who have had cybersecurity events, be they hacks, breaches or insider threats, released to the public. Instead of being praised for letting the world know of these events, they are most often vilified, cyber-shamed if you will, for not having robust enough security to prevent such an attack.
It’s Time to Overcome the Fear of Admitting You’ve Been Hacked
This notion of cyber-shaming takes me all the way back to 2009, when I testified before the U.S. House Subcommittee on Oversight and Reform on behalf of CompTIA on the topic of information security and updates to the Federal Information Security Modernization Act. During the interactive Q&A with lawmakers after our opening statements, the panel had the opportunity to interact with the members of the subcommittee. One member, a Congressman from Southern California made a very strong statement to the effect of (I am paraphrasing here) “Do you mean to tell me in this day in age, in the greatest country on earth, we can’t come up with technology to prevent security risks?” To which I responded, “Mr. Congressman, with all due respect, there is no technology in the world that can get between your finger and the enter key on your keyboard.” My point was that the individual computer user is often the last line of defense when it comes to cybersecurity. Fast forward 12 years and not much has changed.
I contend that in many ways, this is due to cyber-shaming. Whether as an individual or as an organization, there is too much fear around admitting to a possible cybersecurity event. There should not be. We must encourage individuals and organizations to come forward and share every concern they may have about events taking place within their infrastructure. The only chance we have to get ahead of the bad actors is to share information, just like they do! Yes, the bad actors actively share their successes and their failures, to help one another be more effective in their attacks. We, the good guys, have been remiss in not sharing nearly as effectively as the bad guys.
Thinking back on the SolarWinds event, imagine what may have happened if one or more attacked organizations had shared that they were seeing some suspicious activities on their networks. If this information had been shared to their communities, ISACs or ISAOs, maybe enough people would have looked for the same suspicious activity and caused the bad actors to push back from the table and reconsider their operation. I’m not saying this would have prevented it, but we also cannot say that it may not have. Worst case, it may have given the attacked organizations more time to understand what was happening and shut it down before the operation was able to get in and quietly do its damage for months, if not longer.
It is my opinion that cyber-shaming is as much a danger to our collective cybersecurity defenses as any other risk. We have to change the equation and that starts with encouraging individuals and organizations to come forward with anything concerning they may do or encounter. Only then can we leverage the masses to alert and beware of similar circumstance within their own infrastructure.
Coupled with effective defensive technologies, proactive monitoring, and user education, to name a few, the sharing of timely and actionable cyber threat intelligence will provide us with the strategic edge we need to get ahead of the bad actors. If we truly hope to protect our businesses, those of our customers and the stability of both the global economy and our societies, we must share this critical information.
This is why cybersecurity is a priority for CompTIA in 2021 and why we brought the CompTIA ISAO to our members. Together, we will fight back against the bad actors and raise the cybersecurity resilience of the global tech industry.
MJ Shoer is senior vice president and executive director of the CompTIA ISAO.
Click here to learn more how the CompTIA ISAO is helping technology vendors, MSPs, solution providers, integrators, distributors, and business technology consultants advance the cyber resilience of the entire tech industry.