The theory behind cybersecurity information sharing is clear and uncontroversial, even if the details of what to share, how best to do it and who to share with may sometimes result in debate and disagreement. The theory goes that organizations are better off sharing information and improving situational awareness than trying to recognize and face cyber threats and challenges on their own. Some collective and coordinated efforts can help to identify, learn about and fend off threats and would-be attackers—as compared to acting individually with less information and situational awareness. That is also a reason why armies gather intelligence, where feasible, before going to battle.
Sharing information about cyber threats, incidents and vulnerabilities has some similarities to the concepts of a “neighborhood watch.” For both, the idea is to observe, gather and share information—including about the tactics, techniques and procedures (TTPs) of attackers—to enable targets to recognize threats and defend better, reducing the likelihood that those attacks and attackers will succeed. In economic terms, we are seeking in part to raise the costs to attackers by using information sharing to shorten the time and narrow the instances in which their tools can be re-used profitably—as potential victims could develop defense tactics more quickly. To succeed as often, attackers would have to invest more in new or modified tools, or choose different targets—making it more expensive for them to generate each dollar in nefarious returns.
We also seek to lower the cost of defense by helping defenders know what to look for and prioritize, and how to defend against those threats effectively. While it is no silver bullet, cybersecurity information sharing has long been thought of as a way for defenders to improve their position. Information sharing has been endorsed by the nation’s leading policymakers including, most notably, by the White House in executive orders from 2015 and Congress in the Cybersecurity Information Sharing Act of 2015 (at Division N, Title I).
Information sharing, however, comes with costs and risks. Organizations might be concerned about reputational damage from revealing the particular attacks they experienced, especially if the attacks were neither avoided nor defended as well as the firm would have wished. This is one reason that trust is recognized as an important element of information sharing. Those who share information may not want their identity to be revealed at all, or may allow it to be revealed only to a restricted audience. Organizations also may prefer that attackers are not easily able to learn who was the source of particular information.
Sometimes entities attempt, if information sharing rules allow, to be “free riders,” in the sense of receiving information but providing little information in return. It also may be costly not only to share information, but to turn received information into effective action. To do it well, and analyze the information that is received effectively and put it to work in close to real-time, may necessitate costly investment in a platform, technology and staff. For C-Suite executives who are not cybersecurity experts, the costs and risks sometimes seem easier to understand and more concrete than the benefits to the organization of sharing.
Over the course of interacting with many businesses and organizations in both government and private law practice, Turetsky became convinced of the benefits of collecting and documenting more information sharing successes—particularly examples where an organization avoided harm as a result of the shared information. He saw clearly, across sectors, the internal debates about the costs and benefits of engaging in systematic information sharing efforts. That work led to a conference, interviews and to a new paper that we are releasing today, “The Successes of Cybersecurity Information Sharing” The paper, supported by the William and Flora Hewlett Foundation, collects success stories in information sharing from several sectors—instances where harm to an organization, or many organizations, was avoided through information sharing.
We thought that these stories could provide additional evidence and information that not only would add valuable knowledge and understanding more generally, but could support those trying to document the advantages of information sharing to colleagues and decision makers. In the eyes of some organizations, particularly as seen by some of those executive leaders who are not cybersecurity experts, there exists a gap: the benefits of joining a cybersecurity information sharing organization and full participation seem less clear, or at least less well-documented, than the costs and potential risks of doing so. While it is always challenging to explain, predict and value harm that will be avoided in the future, we think there are a variety of ways to narrow this gap. And that’s why we wrote this paper, to explore these stories and find ways to bridge that gap.
These success stories could be particularly valuable to deploy in conjunction with discussing and educating those in a position to make decisions about the benefits of joining and engaging in an information sharing entity, like an Information Sharing and Analysis Center (ISAC) or Information Sharing and Analysis Organization (ISAO). Since the theory of information sharing is clear, the benefits in practice should be as well. After all, it can be very hard for organizations to make judgments about less visible future benefits as compared to current risks and hard costs.
To fill the gap referred to above, we thought that it would help to have examples of information sharing success stories from across many different types of organizations and sectors.
The primary beneficiaries could fall primarily in three categories. The first category is organizations deciding whether to participate in formal information sharing, or whether to step up those efforts. Today, most entities are still not members of formal information sharing organizations, as participation is voluntary. Broader publication of success stories could be helpful to those deciding whether to join.
Second, the information sharing organizations which already recruit and serve members and act as hubs for sharing information, could benefit both from these success stories and the possibility of identifying additional success stories themselves. Certainly, these organizations already are sensitive to retaining and growing their membership and producing value for their members for the long-term prospects of their organization. But success stories have not always figured prominently in conveying the benefits of participation for several reasons. For one thing, information sharing organizations do not always know the specific successes they facilitate—which may be more easily accessible and better known to individual members who experience the successes. Accordingly, the stories that we gathered came from individual members of information sharing organizations, as well as from ISACs and ISAOs. It seems that the availability of a set of success stories across sectors could be helpful to ISACs and ISAOs in a number of ways, including marketing those stories to potential members. We also thought that by collecting and sharing some of these “wins” from a variety of sectors involving several different ISACs and ISAOs, this could help sharpen the focus of these organizations to collect more success stories.
Third, policymakers have been asked to promote information sharing. We thought that it would be helpful to provide policymakers with evidence of some concrete success stories across sectors to confirm the value of information sharing.
For all of these reasons, we chose to include examples in the paper from numerous different sectors, including: research and academia; financial services; aviation; health; defense; transportation; the public sector and others. The fact that success stories are found across the economy is further evidence that these are neither isolated nor rare.
Some of the stories relate to well-known events. Others are very traditional, where successes were obtained through information directly provided to a member or multiple members of an ISAC or ISAO. Some involved the government. Some did not. But the organizations were confident they avoided harm in these instances and can explain how. While there certainly might be other ways to measure the benefits of information sharing, generating narratives is always a valuable method.
A Few Examples
Large organizations often engage in information sharing relationships with formal information sharing organizations, and sometimes more than one. In addition, they also engage in informal arrangements with their peers, sometimes outside of any framework provided by an ISAC or ISAO. The successes of information sharing often extend to both arrangements. One of those successes involved a few large retail businesses as well as some smaller ones who found the high-stakes November retail season to be the target of cyberattacks:
- A major retailer detected conduct involving a brand new Java Script Remote Access Tool (RAT). The retailer was able to track it to a specific recent phishing email and another similar attempt the week before. It shared information about this threat through a direct dialogue with at least three other major retailers. Those other retailers checked within their own companies and told the major retailer who was the first to share that they were able to spot the same malware and avoid harm because of the information that had been shared. The major retailer also shared the information with one of its ISACs. That ISAC’s research then identified as many as 30 retailers that were targeted.
Information sharing can take place in the private sector, in the government or between the two. While, sometimes, private sector entities prefer not to engage directly with the government, that does not mean that a private sector entity will not review information that the government shares. In fact, one success story involved a company benefiting from information published by the government, and from the company’s eventual effort to seek out additional related information from the government by asking its ISAC to act as an intermediary. This enabled the company to receive additional valuable information shared by the government without revealing its identity to the government:
- A major financial company was aware that the federal government had identified an IP address that was associated with a specific Advanced Persistent Threat (APT) actor from abroad. Many months later, the firm saw that IP address internally and wondered whether it was still associated with the threat actor. It wished to remain anonymous and asked its ISAC to approach the government and inquire. The ISAC did so and reported back that the threat actor was still using that IP address. In this way, the financial services company learned that one of its senior executives was targeted by a well known APT actor, one normally associated with campaigns targeting political and military targets. This case, and the subsequent sharing among financial services firms, enabled the company to protect its executive, and—notably—to update its threat models to account for the changing breadth and range of this threat actor’s interest.
There has been increasing attention to cybersecurity concerns associated with supply chains. Information sharing can lead to an awareness of specific problems and produce valuable benefits for supply chain management:
- An ISAC shared information, received from a federal government source, with the users of a series of streaming video devices that appeared to be beaconing out to a country in Eastern Europe. The ISAC was able to secure its members from the compromise—unusually—by working directly with the device manufacturer to identify and correct a serious compromise of their supply chain.
Some ISACs have overlapping client bases and include organizations that may be engaged in a variety of activities. For example, major retailers have a lot in common with other retailers—but they might also have something in common with financial institutions, given the way they collect money, are involved with credit and credit cards, etc. This is why, when one ISAC learns valuable information, there can sometimes be important benefits from sharing it beyond the members of its own ISAC:
- An ISAC that does not focus specifically on aviation was alerted to information that, with subsequent investigation, led to the discovery of a wide-ranging malware campaign targeting aviation infrastructure around the country. The ISAC, whose membership base only partially overlapped with the aviation sector, conducted an investigation that uncovered key insights about the campaign, the TTPs of the threat actor and worked extensively with federal and numerous other partners to ensure alerting across a sector that was not their own area of focus. This is a reminder that ISACs and ISAOs often have spillover benefits outside their own “traditional” member base.
The paper we have just released contains more examples of information sharing success stories. We are also establishing an email address ([email protected]) for readers, cybersecurity professionals and risk managers to submit additional information sharing success stories. We will handle these submissions consistent with the principles of trust that we followed in our new paper, meaning that organizations will not be specifically identified unless they choose to be. Depending on what additional stories we gather, we anticipate following up and possibly including these stories as part of a supplemental paper.
We welcome the submission of additional stories that we will follow up on. Information sharing is generally voluntary. Collecting and making these success stories available helps to confirm the considerable benefits of information sharing. Hopefully, this proves a useful tool leading to more clarity about the value of investing in information sharing and to better evidence-based decisions about participation.