Information Sharing

I just had an interesting TWITTER conversation with Chris Jager (@chrisjager) about information sharing in a cybersecurity context. Chris makes the very valid point that ‘sharing information’ is more than a simple single activity of providing a piece of information. It is a complex set of actions that include a number of decision points that can validly interrupt the process. Mandating sharing cannot overcome that shortcoming.

A Potential Example

Look at §704 of the bill that might make it to the Senate floor this month (S 2105). It establishes the information sharing standard from the private sector to the Federal government. It says:

“Notwithstanding any other provision of law, a non-Federal entity may disclose lawfully obtained cybersecurity threat indicators to a cybersecurity exchange.”

That clearly doesn’t mandate information sharing, it allows (‘may disclose’) for that sharing {and §707(e) specifically prohibits such a mandate}. If we make a minor word change (substitute ‘will’ for ‘may’), that would require disclosure. Under that regime let’s look at how many places the information sharing could legitimately break down.

Scenario: A cyber-attack on a small-town water-treatment plant control system causes a chlorine vent valve to fail-open. This is a proof-of-concept attack that an eco-terrorist group is planning on using on a larger water system where the chlorine release would have major consequences. Timely sharing of information on this attack could prevent a larger successful attack.

Information Sharing Breakdown Points:

Investigation concludes that this is a simple mechanical valve failure – no information sharing requirement.

Investigation concludes that it is a control system related issue caused by operator error – no information sharing requirement.

Investigation concludes that it is a control system related issue caused by a programing error – no information sharing requirement.

Investigation concludes that it is a control system issue related to spurious commands from within the network. Management determines that it is due to a disgruntled employee and thus not a cybersecurity threat – no information sharing requirement.

Investigation concludes that it is a control system issue related to spurious commands from outside the network. Management determines that this is due to inappropriate security controls on the part of the vendor and thus does not indicate a wider cybersecurity threat – no information sharing requirement.

Investigation concludes that it is a control system issue related to spurious commands from outside the network. Management determines that, since the control system is clearly not an information system under the definition of the law, there is no information sharing requirement.

Investigation concludes that it is a control system issue related to spurious commands from outside the network. Management determines that this constitutes a cybersecurity threat indicator and makes appropriate notifications two week after the successful attack on the larger chlorine storage facility.

Depending on the skills of the initial incident investigators the above information sharing breakdown points could be actual findings for this type of incident. If management has a reason to encourage findings other than a ‘cybersecurity threat indicator’ the above investigation findings could easily be justified by an appropriately dis-motivated employee. And if management has made an active determination not to share information any of the above findings could be the directed results of the incident investigation.

Setting up an Information Sharing Network

Congress has to understand that there is much more to setting up an information sharing network than just establishing one in law. The program must provide incentives for the private sector to participate. The program must also remove disincentives that make it difficult to participate.

‘Incentives’ does not mean that the government must pay for this information; rather it must provide the organization with some other form of benefit. The most obvious example would be that joining the information sharing network ensures that the organization will receive timely cyber-intelligence information that can be used in protecting its networks. There could be a system of rewards for information that leads to the prevention of an attack on another organization.

There are a wide variety of disincentives to sharing information about cyber-incidents. One of the most important is the simple fact of not wanting to look stupid or ineffective. Closely following that are financial disincentives like the fear of losing business, or the fear of fines or other regulatory actions. Requiring the annonymization of information before it is re-shared, even within the government, is an important step in preventing many of these types of disincentives.

Finally, the information sharing process has to be as easy as possible. In many ways the Chemical Security Assessment Tool (CSAT) used by the CFATS regulatory process can be a model for they type systems that could be used for submitting cyber-threat information. This type of on-line tool could be set up for each of the critical sectors for an initial screening and annonymization process. This would allow for people familiar with the types of systems and processes involved in that sector to make the initial analysis of the threat.

Organizations within the sector could register with the information sharing system so that they could receive notifications about specific threats to particular control systems (okay and particular IT systems too) that they use within their organization. More general threat information would be shared throughout the sector. Vendors could also register with these systems, providing specific points of contact for information about particular systems that they sell/support.

Moving Forward

Unfortunately it looks like we have the time necessary to set up a more detailed proposal for an information sharing system as it remains increasingly unlikely that Congress is destined to take any final action on cybersecurity legislation before the November election.