Lack of trust is the primary reason cybervulnerability and threat data are not shared within and between the public and private sectors, a panel of government and industry representatives told a homeland security conference today.
WASHINGTON--Lack of trust is the primary reason cybervulnerability and threat data is not shared within and between the public and private sectors, a panel of government and industry representatives told a homeland security conference today.
"Situational awareness is driven by interpersonal communications, so people find other people that they trust," said Marcus Sachs, vice president for national security policy for Verizon Communications. "If something bad is happening the alert goes out amongst the trusted group. It doesn't necessarily go out through official channels."
The admission came during a panel discussion at the AFCEA Homeland Security Conference held at the Ronald Reagan International Trade Center. The session focused on creating cybersituational awareness, or the ability of stakeholders to share enough information in real time to protect both their networks and the common Internet infrastructure that undergirds society.
There isn’t an easy way to establish that trust, panelists said.
Such relationships aren't perpetuated from the top down, rather they blossom organically, according to private sector panelists.
Moderator Matthew Stern, a senior advisor to the Department of Homeland Security’s US-CERT at General Dynamics, said the cybersecurity community is a small, tightly knit one.
“A lot of us have grown up together,” he said, adding “You trust people you know.”
This often leads to a knowledge imbalance within an organization, where decision makers know less than their subordinates, Sachs said. The problem is exacerbated by the hyperconnectivity provided by social networking tools like Twitter and Facebook. It leads to great situational awareness for a particular group, “but it doesn’t translate up to senior officials who need to make real-time decisions, because they’re just not seeing what everyone else is talking about.”
Stern asked the panelists how can the public and private cybersecurity communities institutionalize trust.
“I don’t think we can ever institutionalize the trust necessary to make situational awareness,” said Aaron Walters, vice president of research and development for Terremark Worldwide.
Walters pointed to the open-source software-development community as a model. Everyone who joins the community must be willing to share something to foster trust. If they don’t, they get “voted off the island,” Walters said, referencing the TV show "Survivor."
Another model is the National Security Information Exchange (NSIE), said Sachs, which was created two decades ago by the federal government as a way for the private sector to share sensitive information. By exposing confidential information within the NSIE, incoming participants show long-time members that they can be trusted.
“You’re allowed to come to one meeting and not bring anything,” Sachs said. “The next time you come if you don’t have something to lay on the table to share with others, you’re not invited back.”
An information-sharing arrangement can only work if all parties share."It's not a voyeuristic mindset," according to Sachs. "That's not how we get to this common picture or this situational awareness that we want. Part of that trust breakdown may be each of us being able to open up a little more or show a little offering of what we're doing so that others may then develop their trust in us."
Brigadier General John Davis, director of current operations for U.S. Cyber Command, admitted he didn’t know how to build the trust necessary to achieve cybersecurity situational awareness, but he predicted the evolving nature of the threat could help facilitate more partnerships.
“I think urgency is one of the things that’s going to get us through this,” he said.
Originally organizations had to primarily worry about information theft. Then, in 2007 and 2008, massive cyberattacks on Estonia and Georgia showed that the threat could be tied to traditional military actions. “Now what we’re seeing is destructive capabilities that are being built and cause us great concern,” Daivis said without specifying an example.
This means government and the private sector must join together to alert each other before a massive cyberattack hits U.S. critical infrastructure.
“I’m very hopeful that we can do that by working together in advance,” Davis said. “But I do think that if we don’t, that situation’s coming, and it’s coming probably faster than we think.”
♦ Photo by opensourceway/Flickr