Cyber Information Sharing - Beyond Detect

Cyber Information Sharing - Beyond Detect

Threat information sharing is recognized as an important and evolving topic within cyber security. The need for organizations to collaborate for the protection of IT systems is in part driven by the highly collaborative and diverse ecosystem of threat actors, with an ever greater overlap of tools, techniques and teams targeting public and private sectors alike. Where organizations effectively share experiences and insights that may be unique to them, broader communities can benefit at scale –a rising tide lifts all boats.

Much has been done to improve the sharing of threat intelligence both nationally through the NCSC (National Cyber Security Centre) Cyber Information Sharing Platform, as well as within specific communities of interest. However, it continues to be recognized that more needs to be done, as reflected by initiatives such as the Financial Sector Cyber Collaboration Centre announced last year.

Calls continue for government, or specifically NCSC, to share more advanced threat intelligence given their unique visibility of the evolving threat landscape. However balancing the risks associated with information disclosure relating to both vulnerabilities and evolving adversary capabilities will always create a practical limit to both the speed and extent to which this can be done.

Evolving Cyber Defense

There is however another area in which NCSC possesses unique capability that is both valuable to industry and easier to share, but to date has been in far less demand. Threat intelligence sharing is primarily about detection and response, however with its role as National Technical Authority, much of NCSC’s guidance as delivered to government is focused initially on defense. After all, architecting systems that are well protected and minimize the likelihood of compromise is the first step to a successful detection and response strategy.

Three or so years ago, in the pre-NCSC era, very little of the architectural advice for government’s classified networks would have translated as being relevant to the needs of much of the private sector. Government systems were typically built as bespoke, expensive and exhibiting poor usability. All system requirements were subservient to security - an approach which ironically often undermined security. In recent years, government has evolved out of necessity to make better use of modern technology and meet the expectations of a modern workforce. This has required looking to the private sector for innovation, developing collaborative and agile relationships with the supply base to both validate and influence technology, and developing novel network architectures that combine an array of defenses to balance security requirements with the cost, usability and flexibility sought.

As a result, many of the newer government systems, even those that operate at higher levels of classification, now leverage commercial technology to offer the levels of functionality, flexibility and usability that private sector employees would be familiar with, whilst still achieving the levels of security required for sensitive government systems. However, as far as information sharing is concerned, relatively little has been done to date in terms of more broadly communicating the innovations and experiences gained within government in recent years.

Towards Informed Risk Management

As one would expect, cyber-related IT transformation within government has been achieved by advances at both the product and architectural levels, driven by both the world-leading expertise that NCSC possesses, as well as the shift within exemplar government departments towards informed and effective risk management. The resulting ‘defense in depth’ architectures allow departments to proportionately manage the risks they care about, in part by employing products that provide a high degree of assurance against well-articulated security claims - claims that can be independently validated. High assurance products deployed within appropriate architectures allow risk to be quantified in a way that is difficult to achieve in systems that are primarily reliant on probabilistic defenses – be that signature or other forms of anomaly detection. Such technologies may be necessary but are not sufficient for achieving well quantified and well managed technical risk in today’s diverse and evolving environments that encapsulate cloud, mobile big data, IoT and the myriad of technology trends that even the most security conscious organizations need to adopt at pace.

Driving Demand for Better Cyber

The broader sharing of relevant guidance by NCSC certainly shows signs of growing, with recent examples being published architectures for secure data import, and publicising work focused on secure mobility. However the pace and extent of sharing does in part need to be driven by demand from the private sector. Arguably today, the market is far from optimized to drive demand for better cyber security technology and services. One absent market lever is the necessary assurance schemes and standards that can appropriately define what good looks like, and how technical risk can be better quantified and managed. Existing schemes are not yet sufficiently mature to cope with the scale, agility and innovation required. Instead, many organizations are reliant on the more subjective opinions of sources such as industry analysts, who themselves may be more subject to marketing budgets than an informed and detailed analysis of a new product or service capability. Encouragingly, government does have a current focus on innovating in the space of product and service assurance, with active initiatives within NCSC, as well as across broader government through the Cyber Growth Partnership. The CGP in particular is keen to reach out to broader stakeholder communities, encouraging the private sector to play a greater role with such initiatives, using its resources and unique perspectives to help inform and improve the common standards of assessing technology and best practices, particularly for the sometimes slightly under-valued topic of cyber defense. If successful, the UK would be well positioned within the domain of cyber, to establish a rising tide that does indeed lift all boats.