Note: The date is nearing for our Second Annual Senior Executive Cyber Security Conference, which we’re cohosting on September 10 with the Johns Hopkins University Information Security Institute. So we asked Anton Dahbura, Executive Director of the Institute, to share his thoughts on a pressing topic in the cyber security community: whether private sector companies should be required to do more to share information with each other and the government as part of an effort to bolster our defenses. His views are below.
Imagine the storyline of a science-fiction thriller. Mankind has succeeded in building its technological crown jewel, a worldwide ultra-high speed communications network that connects the entire globe’s electronic and physical resources, from nuclear power plants to soda machines, creating instantaneous communication and universal efficiencies and knowledge acquisition.
All is going well until a phenomenon that begins as a footnote in technical circles ultimately explodes in the headlines on a daily basis: the essence of what makes this network so powerful, namely its far-flung interconnectedness and flexibility, is being exploited by largely unknown individuals for nefarious and hugely destructive purposes.
Seemingly secure networks are breached regularly. Highly sensitive data, from individual financial information to corporate and even classified secrets, are stolen almost daily. The public calls for a quick antidote to this growing epidemic as fear grows about the increasing likelihood of turmoil and even destruction and mayhem. The U.S. government, experiencing a rapidly growing number of attacks on its own systems and realizing the deepening impact of incursions into the private sector, scrambles to assemble a comprehensive strategy to counteract the infiltrations and, ideally, eradicate them altogether.
A few years ago, this plot may have been considered too far-fetched; besides, it would take the most skilled team of screenwriters to concoct an even half-way credible resolution to this cliffhanger.
Unfortunately, the exploitation on a global scale of what we know as the Internet has become the reality that grips virtually all of us. Nation-states, far-flung criminal organizations, and even petty thieves have discovered that practically all of the world’s riches, information and systems are a mouse-click away and that the very complexity that has made the Internet one of the most important technical achievements in the history of human development also yields irresistible vulnerabilities on which even children can capitalize.
As a society, we rely on our government when a threat arises which is beyond the control of individuals or private entities. Therefore, in that context it makes sense for the U.S. government to play the lead role in any concerted effort to thwart cyber-crime, including legislating and coordinating a large-scale program to collect, analyze and act on information regarding cyber-breaches into companies and organizations. In fact, it’s difficult to imagine that an “everyone-for-yourselves” defense would ever be effective.
However, there are those who would argue that the number and magnitude of unintended consequences of forced data-sharing should be of great concern, and that once government-led data-sharing programs are out of the gate they will be extremely difficult to roll back or modify.
In an article that appeared in the July 2015 issue of IEEE’s Computer magazine, Nir Kshetri of the University of North Carolina at Greensboro provides an excellent overview of the various government data-sharing programs that are in place or proposed.
Kshetri points out that while sharing information about past attacks among organizations can help bolster cyber defenses, it is not clear that the government programs will add value to what is already shared among companies now, especially in sectors such as finance, retail and energy that already have their own data-sharing organizations.
There is great concern in the private sector that information sharing could force companies to expose proprietary, sensitive, or trade secret information outside of their boundaries where they have no control. Also, information that is shared would be anonymized in theory but in reality privacy of shared information could rarely be guaranteed. Furthermore, questions regarding liability protections are still in discussion. The most basic of issues, such what constitutes a breach and how long does a company have to report it, are still unresolved and are likely to contradict the myriad state-level regulations that have been put into place.
This is just a sampling of the challenges facing those who are charged with defining and implementing a comprehensive data-sharing strategy between the U.S. government and the private sector. During our upcoming one-day symposium sponsored by COMPASS and the Johns Hopkins University, we will explore these topics and many more, presented by a select group of speakers who are at the forefront of this groundbreaking initiative.
Whether we compose a plausible ending to our cybersecurity thriller remains to be seen, but there is no question that the decisions made in upcoming weeks and months about data sharing will have a significant and long-lasting impact on the effectiveness of data breaches and other forms of cyber attacks.