Last week the House passed legislation (H.R. 1560, the Protecting Cyber Networks Act [PCNA]) incentivizing the sharing of cybersecurity threat indicators between companies and the Government. The timing of this act was auspicious as it coincided with the cybersecurity community’s largest annual conference – RSA. Host to 33,000 cybersecurity professionals, RSA 2015 included more than 20 sessions on threat and information sharing. Despite all of this excitement, few organizations and individuals will benefit from threat indicator sharing anytime soon.
To understand why, we first need to understand what threat indicators are and how sharing them is supposed to help. Threat indicator sharing works much like posting a description of a suspect following a crime. However, instead of physical information about the assailant (height, weight, race, hair color, eye color) and the crime (time of day, modus operandi, weapons used, target), threat indicators include technical information about the attack (vulnerabilities exploited, source IP address, attack methodology tools used, intended target). Just like a wanted poster, this information can be used to prevent an identical attack on a different organization.
Even if the PCNA is signed into law and the Government establishes the necessary sharing mechanisms and liability protections, the technical sophistication of most organizations will limit its effectiveness. Today, threat indicator sharing:
- only benefits the most sophisticated organizations – those who have established threat intelligence programs and security operations centers
- is a highly manual process – even the most sophisticated organizations rely primarily on the manual review, acceptance, and use of threat indicators
- continues to be limited by economics – benefits accrue only once enough organizations are sharing that any individual organization is able to detect a similar attack before their systems are compromised
So, will threat indicator sharing eventually help? Absolutely! In the short run, however, we are fighting a losing battle against attackers who have established sophisticated processes and a robust economy for sharing malware, botnets, exploits, and vulnerabilities. Attackers innovate and share faster than we do. While there are significant hurdles before organizations can reap the benefits of broad-based threat indicator sharing, it is necessary to change the attack-defend paradigm, making it easier to protect our digital assets than it is to compromise them.
Nathan Lesser is a new non-resident senior fellow with the GW Center for Cyber & Homeland Security.