Why we should share actionable threat intelligence: a call for collaboration in the age of increased geo-political cyber threats
The Financial Times recently ran a story headlined: ‘cyber security experts lament west’s failure to learn lessons from Ukraine.'
The article reports that cyber executives attending Black Hat, one of the world’s biggest cyber security gatherings, told the FT that the West is struggling to replicate the collaborative methods that had proved successful in the conflict, because they are instead “mired in regulatory and legal roadblocks that thwart fast-moving responses that require open sharing of often sensitive or embarrassing information.”
I spoke on the importance of information sharing at #Davos last year on a panel titled ‘The Technology Industry and the Age of Hybrid Warfare.’ As this year marks its fifth anniversary of the Cybersecurity Tech Accord, of which DXC Technology is a proud signatory , it is important to reflect on the progress made during this important period for cybersecurity – as well as why we, as an industry, must get better at sharing actionable threat intelligence.
The Cybersecurity Tech Accord was established to ‘defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states’ and, writing in its anniversary report: Building a Voice for Peace and Security Online: The Cybersecurity Tech Accord’s First Five Years , Head Secretariat, Edoardo Ravaioli, wrote:
“The world no longer needs to speculate about what "cyberwarfare" will look like, as the illegal Russian invasion of Ukraine forever transformed the nature of armed conflict as the first ever example of large-scale hybrid warfare. What were once isolated malicious cyber incidents and operations, have become well-funded, strategic, large-scale cyberattack campaigns integrated with and complementing kinetic military operations. It is clear that cooperation between governments and the technology industry must remain a priority, as our industry continues to actively detect, defend and disrupt attempts to undermine peaceful technology.”
The Cybersecurity Tech Accord’s anniversary report acknowledged successes and failures. Of the former, there was recognition of a multistakeholder response in Ukraine, with numerous companies stepping up early in the conflict to provide support to protect sensitive Ukrainian data and infrastructure from cyber-attacks, including hardening defences, migrating data to more secure environments, and in some cases, taking action against cyber operations.
Of the latter, it reflected on the limited progress made in the UN working group tasked with deliberating responsible state behaviour online. The report noted that: “the working group has consistently voted to exclude participation of relevant nongovernmental stakeholders” and that, while the UN General Assembly has voted to establish a “Programme of Action” on cyber that could serve as a more robust and inclusive body in future, “much will depend on how it is structured and implemented.”
There are examples to emulate, such as the National Cyber Security Centre (NCSC). In alliance with its international partners, the NCSC has published a new report sharing technical details about malware – dubbed Infamous Chisel – used to target Ukrainian military, attributed to the Russian military intelligence service, the GRU.
领英推荐
From an organisational point of view, in some quarters I still see a certain reluctance to share actionable threat intelligence. This isn’t for a lack of commitment or desire. Many organisations and CISOs are still feeling their way.
Part of the challenge is determining what to share. What might seem like a relatively benign threat to one organisation might be considerably more serious to another. I do think people understand that there is mutual benefit to sharing threat information, but there are always important confidentiality issues to consider during an active attack. The important thing is to strike a balance so that we alert our ecosystem to threats, without oversharing and inadvertently exposing our organizations, clients and partners to more risk.
AI and automation are getting better and monitoring and identify threats, but until then, formally or informally, it is important that we remain committed to sharing information at speed and at scale.
It is clear that there is much work still to be done and I welcome your ideas for best practice approaches for how we can more effectively collaborate to increase our collective cyber resillience.
One thing is sure – it is only by working together that we can hope to collectively strengthen our defences against the ever-growing threat of cyber-attacks.
Check out DXC's website for more ideas, solutions and services that could help you keep your organisation safe.
?#AI?#Cybersecurity?#DataProtection
MEA Market Growth Strategy Advisor @ KryptoKloud | Strategic Advisory
1 年I believe there has been a lot of work already done on sharing IOCs, however, there needs to be more work done around sharing IOA globally. Paul Burrows would you want to comment on this.
Global Government Affairs and Public Policy | Board Director | Bertelsmann Foundation Fellow | Aspen Institute Rising Leader
1 年Excellent article Mark, thanks for sharing. I would add that this information sharing should not just be purely transactional. Governments around the world will receive reports, of varying actionability, daily. The constant dialogue with suppliers and companies mudt be there: government and regulatory officials should be proactively building and maintaining relationships with industry, from CISO down, to ensure that information can be shared quickly and in a trustworthy way. There's also a third angle that needs more exploring. You have the relationship between company and government, and the informatiom flow back down. You have the relationship, in the case of a multinational, with other governments. But the relationship between those governments at officials level, outside of international fora like UN working groups, is as critical. Really interesting read!
Nice article, Mark! I agree collaboration is key to improving our collective cyber resilience.
Cyber Security Freelancing
1 年Great article Mark. Because information during an attack is always subject to privilege we must work with the law enforcement agencies to help broker this sharing - in my view NCSC do a great job here but your observation that his needs to be more deliberate and orchestrated is spot on. Outside the confines of a specific event where as one observer points out, more contextual stuff is helpful, we might also share in a more organised and even open forum! My view is that Bad actors will know about this stuff already, since their information sharing is so efficient. Controversial maybe, but more creative thinking is definitely needed to consolidate and improve on some existing, distributed, and closed forums.