Swear words are, as Wikipedia tells us, a subset of a language that’s “generally considered to be very impolite, rude or offensive.”
So, what about “information sharing” or “collaboration?” These sound like good words, right? Especially in the context of defending businesses against cybercrime, you’d think they have to be good. After all, what’s not to like about taking a communal approach to cyber threat data collection, analysis and expertise to be safer as whole? That is, in fact, the promise of groups like the industry-focused Information Sharing and Analysis Center (ISAC) organizations.
Yet, over the last decade or so, these sharing words have become veritably profane in most serious cyber defense circles. In fact, I can think of few other seemingly innocuous words that can change the mood of meeting room quite as fast.
Sharing cyber info, it seems, is a real problem for most businesses. But why?
The myriad reasons are actually becoming quite important to our global cyber defense.
For me, a “Top 10” looks like this (although, there are certainly more that could have made the list):
1. People hate sharing private info (businesses even more so)
2. The ROI Question: is shared data relevant to my business?
3. The “arms race” of sharing-group proliferation
4. Enterprises don’t know what or how to share
5. Too many tools, Too much data
6. How do I budget for it?
7. Lawyers, lawyers and more lawyers
8. Stranger Danger: Losing control of data
9. Our CISO says we have our own problems
10. The Woody Allen/Groucho Marx dilemma
Let’s talk about a few of the more interesting ones from the list.
For starters, why do businesses hate to share?
Arguably the single largest reason is a fear of somehow giving the competition any sort of advantage. The idea is that exposing cyber weaknesses or potential vulnerabilities can give your competitors a leg up with your customers, partners, PR, product development and in the marketplace in general.
Most businesses also feel that sharing info might help the cyber bad guys be better able to do harm. As well, many businesses, such as those in government, financial and healthcare sectors, also have to be careful not to run afoul of government regulations on data and information handling.
Furthermore, many businesses know from experience that sharing info of any kind could perhaps one day be used in litigation against you, thus posing a challenge to legal defense efforts when sued. Lawyers. The #7 reason on my list. Then there’s the proliferation of sharing itself. Well, a proliferation of sharing groups, I should say; the creation of thousands (tens of thousands maybe?) of sharing organizations.
Now, what I’m saying here may seem contradictory to my previous point about a lack of sharing, but just take 5 minutes and search the web or the Twittersphere for cyber information sharing groups and you’ll see my point.
They are everywhere.
From banks to healthcare groups to retailers and utilities, cyber sharing is seemingly quite popular. From the federal level all the way down to state and local offices, our governments highly encourage it. For-profit and nonprofit groups alike are pushing the practice. Even our biggest telcos and cyber solutions providers habitually form industry alliances to promote cyber threat sharing communities that promise to make us all safer.
So, you’d think sharing was mainstream, the norm, the standard, the status quo, right?
In reality, it’s not. What is the norm is an appearance of sharing, committed to by anyone and everyone, across most all industry sectors in what is mostly lip service. Everyone’s participating because they see the potential value in sharing, but it’s most often in the most guarded manner possible. It’s kind of like a group therapy session where every new member is raising their hand to say, “Hi, I’m John. I want to share as little as possible, but please do feel free to open up. Mind if I take notes?”
Worse than that, it’s causing sharing entropy; a kind of real-life incarnation of information entropy.
Information entropy is a fairly sophisticated subject area, but the concept as applied here is simple. According to the concept of information entropy, when you receive info on something you didn’t already know, the more valuable the information. This is considered high entropy. The reverse of this is getting info on things you already know about, thus having a low value for the recipient of the info. All these multitudes of sharing groups – and the attitude of individual sharers in them – is making for very low entropy. And that’s a bad thing. Lots of activity, very little payoff.
And that’s the reasoning behind my personal favorite from the list above, #10.
It’s based on an old joke told first by legendary funny man Groucho Marx (and later made popular by Woody Allen) the punchline of which is “I wouldn’t want to belong to any club that would have me as a member.” It’s a lighthearted way to convey a serious reason businesses don’t share: based on their own threat intelligence efforts, they too suspect the data being shared is probably pretty low on the entropy scale.
This talk of the proliferation of sharing groups is a nice segue into discussion of #5 from my list above: Too many tools, too much data.
In today’s cybersecurity marketplace, as with the proliferation of sharing groups, it seems every month there’s a new software solution or service to help us all share. Emerging cyber data and information domains like Threat Intelligence are driving a wide variety of platforms into the market and most of them have B2B sharing and collaboration features. These solutions help businesses make sense of the vast array of cyber threat information they receive from their increasingly-crowded cyber defense infrastructures, but also come with significant considerations and concerns for adoptive businesses.
For example, the sheer amount of choice in the market, the variance in capabilities and features, as well as the lack of universally-accepted standards for how threat data at a given level is stored, analyzed and exchanged make it tough for businesses to actually accomplish effective analysis, much less get around to comfortably sharing what insight they achieve. Put simply, there’s no high gravity around any given platform or data format such that companies can take advantage.
At this point, you might be thinking sharing just isn’t worth it. But there is a way (and a reason) to share that actually means something significant to your business and helps address all the items on the list above:
Create your own private ISAC for your supply chain.
Every business has partners and suppliers with an increasing amount of access to critical networks, B2B web applications, customer data and more. A company’s suppliers are often integral to their business and, as we all are more than aware these days, suppliers that don’t pay enough attention to security are causing very direct, dire injury to companies they deal and interact with.
Unlike sharing in larger groups or with “stranger” businesses, your own supply chain is, for all intents and purposes, just an extension of your own enterprise. It only makes sense that your security “umbrella” should extend out a bit over them as well.
As such, sharing info, analysis and expertise within your “extended family” can be very valuable to establishing the kind of early warning system that is the promise of cyber information sharing to begin with – and without most of the risks.
Sharing threat intelligence, risk identification and other analysis with your partners helps you help yourself. In part II of this series, I’ll explain how it can be easier (and cheaper) than you think to set up. It’s a small investment with big rewards.