It’s no doubt cybersecurity provides longevity to a business and can help differentiate it from its competitors – for both good and not so good reasons. Organisations, both in the public and private sector, need to have strong cybersecurity fundamentals to provide trust and confidence to citizens, businesses and customers alike.
As we have seen, though, the threat landscape is not abating and it will continue to evolve. Our cyber adversaries are becoming more sophisticated, sharing tools, exploits and attack methods, and automating their processes. In doing so, they have achieved a clear competitive advantage in cyberspace and are eroding trust in today’s digital age.
This new challenging reality is true for Australian organisations, as it is for global businesses alike. The Australian government is taking important steps to help raise its cyber resilience and approach to cybersecurity with the release of the Cyber Security Strategy in April 2016. As Australian Prime Minister Malcolm Turnbull has said, “the Australian Government has a duty to protect our nation from cyber attack and to ensure that we can defend our interests in cyberspace. We must safeguard against criminality, espionage, sabotage, and unfair competition online.”
Australia’s Cyber Security Strategy has five main themes:
These are laudable goals, but if we aspire to put an end to the breaches we read about in the headlines almost daily, a partnership is needed to achieve these.
One key way for industry to play a valuable role is to participate in voluntary cyberthreat information sharing. Operationalising threat information sharing, both within and across industries, and between the private and public sectors, will dramatically shift the balance of power, close the competitive gap, and realise exponential leverage against cyber adversaries by driving up the cost of successful attacks.
Cyberthreat information sharing is the sharing of information about threats and incidents so that all entities can better protect and defend their networks. The information in question is generally technical in nature, such as bot command-and-control servers, malware samples, malware analysis results, and indicators of compromise. In short, it is about sharing attack information. What’s most critical is to learn about the kinds of actors targeting organisations, the tools they have available, and the tactics they employ – all to help organisations to prevent attacks and defend their networks more effectively.
First, let’s define the attributes of what should be shared:
Our mission should be to share all of the above but, most importantly, an adversary group dossier. Doing so will enhance the assessment of the adversary group’s potential, material impact to the targeted organisation, giving a better opportunity for that organisation to detect and prevent the attack, as well as deter an adversary.
The information itself is important – but it must be actionable. This means that it must arrive in as close to real time as possible. As we have observed in some of the largest breaches, the best resourced security teams cannot scale manual responses to automated threats — only through automating prevention and detection can organisations be fast enough to adequately secure networks. Thus, government and industry must collaboratively build a robust, automated information sharing architecture, capable of turning threat indicators into widely distributed security protections in near-real time.
Increasing cyberthreat information sharing in our country is easier said than done, for a number of reasons. First, there is apprehension amongst organisations that information sharing could negatively impact them. Many feel that that by sharing information that could be classified as sensitive and privileged, they would be giving the upper hand to their competitors. This sentiment from the business community is valid and should be acknowledged. But, as noted above, we should focus on sharing attack information – not information on who has been breached.
Some of the other challenges and perceived barriers to greater cyberthreat information sharing that will need to be addressed are:
We urge the Australian government as well as industry to quickly put into action the recommendations for greater cyberthreat information sharing as laid out in the new Cyber Security Strategy. Cybersecurity threat information sharing within and across industries and with the public sector must be embraced by everyone. The faster organisations can share information, the better we can serve to protect each other and push the cost back to the adversary. Until the public and private sectors truly collaborate to build systemic information sharing partnerships, it’s like we’re combating our adversaries with technological weapons that have no ammunition.