It is hardly news anymore that corporate and government networks and websites are under a constant barrage of cyberattacks. It takes a massive hack or service breakdown to get widespread notice: an apparently coordinated attack on major banks last fall; a multinational ATM scam starting late last year that followed the theft of online cardholder records from an Indian processing center; recent military-scale offensives traced to China that are causing some diplomatic rows.
That the threats are recognized and carried out in plain sight is a source of frustration to the cyberdefense community, a military-industrial complex that has been fighting these battles since before the Internet went mass-market. The continued successes of malicious hackers and other bad actors are all the more perplexing in view of the increasingly sophisticated technological weaponry targeting these vulnerabilities.
Authorities as high as the White House have turned a critical eye toward information sharing among the cyberdefense forces. Poor communication among intelligence agencies helped the 9/11 terrorists slip through the cracks. Now there are nagging questions about whether the Boston Marathon bombing was a similar failure that exposed persisting flaws.
By early in the past decade, the U.S. had created a Department of Homeland Security, restructured its intelligence apparatus and, through presidential executive orders, laid the groundwork for flows of strategically relevant antiterrorism and cybersecurity information not only across the government but also between U.S. agencies and the private sector, particularly in so-called critical infrastructures such as banking and energy. Perhaps the creation of new bureaucracies and the widening circle of interested parties complicated the mission.
President Barack Obama saw fit to underscore the information-sharing imperative in a February executive order. Headlined “Partnering with Industry to Protect Our Most Critical Assets from Cyber Attack,” the order “requires federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner.”
Obama’s order assigned the government-run National Institute of Standards and Technology the task of developing a cybersecurity framework in collaboration with the private sector to promote effective systems and practices. The effort is “largely dependent on industry involvement . . . to make the best possible decisions in cybersecurity,” Deputy Commerce Secretary Rebecca Blank said at a NIST workshop in March.
In its 2013 annual report, the Financial Stability Oversight Council — the U.S. Treasury–led regulatory body concerned with systemic risks — said “improved cooperation across firms and industries is necessary as the volume and sophistication of attacks increase. Public-private partnerships could further improve the analysis and dissemination of robust information to facilitate real-time responses to cyberattacks.”
Speaking at a Securities Industry and Financial Markets Association conference in April, Cyrus Amir-Mokri, the Treasury’s assistant secretary for financial institutions, said “government alone cannot keep our financial system safe” and called on the industry to establish “clearinghouses that gather information about recent threats, indicate whether these threats led to incidents and document the manner in which the threats or incidents were addressed or mitigated.”
In fact, the Financial Services Information Sharing and Analysis Center has been doing just that since 1999, before the cyberdefense complex kicked into high gear. The momentum at the industry-run FS-ISAC — one of several such critical-infrastructure-centered entities — picked up in 2006 when former banking and payment systems executive William Nelson became CEO and worked on expanding the group’s membership internationally and refining its information-sharing mechanisms. In February, FS-ISAC won an RSA Conference Award — an annual honor for excellence in information security — for sharing information to thwart malicious attacks and threats with, among others, the Treasury and Homeland Security departments.
As heroic as FS-ISAC may be, no single entity, and no single collaborative entity, can stop the madness on its own. There are still technologies to harden, attitudes to change and lines of communication to open up. The defenders just have to keep grinding it out.
“The only way we can get good at this is to share information,” says Tim McCreight, chief information security officer of the Government of Alberta, Canada. “We know the folks on the other side share information on a daily basis. We need to do the same.”
Jeffrey Kutler is editor-in-chief of Risk Professional magazine, published by the Global Association of Risk Professionals.
