Cybersecurity information sharing, as the name implies, is that the government shares information, intelligence, research and judgment on cybersecurity with the private sector, and at the same time, the private sector reports threats, attacks, and other relevant information to the government, and exchanges between the private sector help Information about cybersecurity protection efforts.
Article 51 of my country’s “Cybersecurity Law” stipulates that “the state shall establish a network security monitoring, early warning and information notification system. The national network information department shall coordinate relevant departments to strengthen the collection, analysis and notification of network security information, and uniformly publish network security information in accordance with regulations. Monitoring and early warning information”. This article clearly requires that a mechanism for information sharing should be established between the government and the private sector. Article 29 of the “Cybersecurity Law” states that “the state supports cooperation among network operators in the collection, analysis, notification and emergency response of network security information, and improves the security assurance capabilities of network operators”, indicating that the state should Encourage and support cybersecurity information sharing cooperation between the private sector.
The United States is recognized as the most developed country in terms of network technology and network security legislation in the world today, but the United States has been stagnant in network security legislation in recent years. During the 111th Congress (2009-2010), there were more than 60 bills and resolutions related to network security. During the 112th Congress (2011-2012) and the 113th Congress (2013-2014), there were more than 40 bills and resolutions. But it wasn’t until the last minute of the 113th Congress that Congress passed four bills. This is also the first time the U.S. Congress has passed a bill on cybersecurity since Barack Obama, who has the title of “Internet President”, took office in 2009.
Even so, the facts show that the United States has not passed any significant comprehensive cybersecurity legislation since the passage of the Federal Information Security Administration Act in 2002. The four bills passed at the end of 2014 are only amendments to existing laws or make provisions on partial matters such as personnel and institutions.
The U.S. government and Congress’ comprehensive cybersecurity legislation focuses on promoting cybersecurity information sharing and establishing mandatory disclosure mechanisms for personal data breaches and thefts. The reason is that in the United States, 90% of critical infrastructure is privately owned, and American law places the responsibility for the security and protection of these private critical infrastructure on the owner of the facility, not the government. Therefore, the most important means for the U.S. government to enhance infrastructure security is to achieve “group prevention and group governance” of cyber threats by promoting public-private cooperation between government departments and the private sector. measure. Of these two aspects, information sharing in cybersecurity is recognized as a top priority.
What does information sharing mean – changes in the concept of security protection
In the past, most organizations had such a mindset for maintaining their own network security: “Every family cleans the snow before their own door, and don’t care about the frost on others’ tiles.” In conjunction with “building the city wall high and digging the moat deeply”, the fewer the connection channels between the information system of an organization and other organizations, the better; the technical details of the information system and the layout of security prevention and control should be kept strictly confidential; once a network security incident occurs, The spread of information such as analysis and disposal must be strictly controlled. The less people know about it, the better, let alone reveal it to the outside world.
Many organizations are content to pursue information system security through this isolated self-defense (ie, maximum “isolation” and “hiding and tucking”). However, this method also leads to the fact that organizations can only rely on themselves when carrying out security protection work – extremely limited information and intelligence, limited manpower and knowledge reserves, and thus cannot effectively respond to cyber attacks.
First, the limitations caused by isolated self-defense are reflected in the defense and handling of network attacks, and the discovery of security vulnerabilities. Borrowing from the “kill chain” model, a cyber attack can be roughly divided into seven stages: reconnaissance, weaponization, delivery, exploitation, installation, communication Command and control, actions on objective.
The real security defense capability should cover every stage of the attacker, and the sharing of security information can allow the defense side to intervene in the defense work at an earlier stage. For example, in practice, many cyber attackers use similar attack tools and tactics on a large number of targets (ie, the first three stages of the “kill chain”). Therefore, by sharing cyber security information, it is possible to effectively analyze and summarize information about the attack. information and intelligence on attackers, attack tools, and tactics, thereby giving defenders an opportunity to break the “kill chain” at the earliest possible stage.
Under the isolated self-defense, due to the limited information and intelligence, organizations often only have the technical means and capabilities for detection and defense only in the stage of penetration and use and later. Obviously, isolated self-defense leads to passive protection work.
Secondly, the limitations caused by isolated self-defense are also reflected in security planning and deployment. Lack of mutual communication and mutual reference, the objects that security personnel can see and analyze can only be their own systems, and they cannot gain valuable experience from the security incidents experienced by other organizations, including the vulnerabilities involved in those security incidents, and the breached ones. The security deployment plan of the system and the specific security measures and products adopted, security measures that can resist attacks, etc. Security personnel can only learn and improve from “small samples”. Without the security information, intelligence, and knowledge extracted from the “big sample”, security personnel cannot accurately assess which tools, techniques, and practices are most effective against specific threats.
With extremely limited, thin, and fragmented information and intelligence, security personnel in organizations can only rely on general advice and textbook practices, even hearsay and intuition, when deciding to purchase and deploy security measures and products. To a large extent trapped in the “blind man touching the elephant” situation.
Again, isolated self-defense cannot cope with the rapidly changing cybersecurity landscape. On the one hand, the degree of interdependence between networks and information systems continues. Under such an irreversible trend, the security of a single organization increasingly depends on the security of other organizations connected to it, and the lack of coordinated defense effects is difficult to make. satisfy.
On the other hand, in recent years, the balance of attack and defense in the network has gradually been broken, and the capabilities of attackers have increased significantly. For example, distributed attacks (botnets, DDoS) have become increasingly rampant, vulnerability black market transactions have gradually become larger, and malware and cyber weapons have become more and more popular. The more complex, the more organized the cybercrime is. Many attacks cannot be detected without the synthesis of information from multiple parties. Therefore, any organization can no longer resist the attack on its own.
From isolated security to collaborative security
Collaborative security, in essence, is to bring together the wisdom of the people to guide every security decision and behavior of an organization. Therefore, the biggest difference from isolated self-defense is that collaborative security pays great attention to external communication and cooperation. As shown in the figure below, in addition to the departments that monitor their own networks and systems, and the departments that make security decisions, the organization has also set up cooperation departments to carry out external communication and cooperation.
Cooperative Security Basic Schematic
On the one hand, the cooperation department shares the security information and intelligence generated by its own system with its partners, and on the other hand, it continuously provides the security information and intelligence obtained from the outside world to the decision-making department for reference and reference.
What kind of benefits can the formation of institutionalized information communication channels and networks with the outside world bring to the security protection of organizations? In October 2016, the National Institute of Standards and Technology (NIST) published the Guidelines for Sharing Cyber Threat Information (No.: NIST SP 800-150), to solicit opinions from the community. In the Guidance, NIST states that security information sharing can:
Shared Situational Awareness: Information sharing can effectively mobilize and leverage the collective knowledge, experience, and analytical capabilities of shared partners, thereby enhancing the defense capabilities of all organizations. Each member of the shared network can benefit from the knowledge and experience of other members. Each member’s contribution to the shared network can improve the situational awareness and security level of the entire shared network.
Enhanced Threat Understanding: By sharing threat intelligence, organizations can gain a more complete understanding of the threat environment, allowing them to design and deploy security measures and detection methods in a targeted manner based on real-time changes in the threat environment. Wait.
Improve Knowledge Maturation: Through sharing and analysis, seemingly unrelated information and observations can be related to each other, and on this basis, indicators for specific times and threats can be built, and the relationship between indicators can be deeper. awareness.
Greater Defensive Agility: The attacker continues to revise the tactics, techniques, and procedures (TTP) of the attack according to the defender’s protection and detection methods. Through information sharing, organizations can obtain rapid detection and response to attacker TTPs, making defense from passive to active.
Improved Decision Making: Through information sharing, organizations gain a more complete and comprehensive view of their security posture. Be more efficient and confident when making security decisions.
For a single organization, participating in security information sharing can gain more and deeper understanding of attackers and shorten the response time to network attacks; it can imitate the effective security measures deployed by other organizations and improve overall security level.
A study by American scholars also shows that organizations that participate in secure information sharing can achieve the same level of security as organizations that do not participate in information sharing with less investment.That’s why, secure information sharing enables organizations to make smarter investment decisions and do more with less. Another study of financial institutions showed that as systems become more interdependent, the benefits of security information sharing increase; at the same time, the more sharing, the more efficient the investment in security.
In fact, in addition to improving the level of organizational security, information sharing can also promote the healthy development of the network security market. In the “sour lemon market” proposed by the famous economist George Akerlof, the significant information asymmetry makes it difficult for buyers to distinguish the real value and quality of goods on the one hand, while sellers can “safe” exaggerate the quality of goods. At this time, the buyer is only willing to judge the average quality of the commodity through the average price in the market, so he is only willing to pay the average price. Since there are good and bad commodities, buyers are only willing to pay the average price, which will make those who provide good commodities suffer and those who provide bad commodities gain. So good products will gradually withdraw from the market. As the average quality declined, the average price fell further, and commodities whose real value was above the average price were gradually withdrawn from the market. In the end, the “sour lemon market” is left with only bad goods.
To a large extent, there is a serious information asymmetry between buyers and sellers in the cybersecurity market. For example, there are no security incidents in information systems and networks. It is often difficult for us to distinguish whether the purchased security products and services are really effective or because they are not targeted by powerful hackers. The lack of safety information sharing has resulted in the party purchasing safety products and services having too little “sample” information to accurately assess efficacy. If the information asymmetry in the network security market is not corrected, it will likely lead to the phenomenon of “bad money drives out good money”, which will further increase the buyer’s distrust of the seller. If the willingness to buy decreases, the market will shrink further, and innovation and progress will be impossible to talk about.
For government authorities, greater security information sharing among organizations means more security information and data are “produced” and begin to circulate. Secure big data is possible. The competent authorities can use this to gain a more comprehensive grasp of the overall situation of threats and security protection at the macro level, analyze possible future development trends, and formulate strategies and action plans at the national level. Various departments and industries have laid a solid foundation for protection work.
On the other hand, the competent departments participate in the sharing of security information, and quickly and widely publish the information they have mastered through the shared network. Through information sharing, they can mobilize and coordinate the whole society to achieve real-time group prevention and group governance, and improve network security. the effect of governance.
What security information is shared
Each type of information has potential uses. For example, some information can help government authorities or organizations assess the threat environment, including what attackers are, their size and organization, targets of interest, and goals they hope to achieve. Through information sharing, a large number of cases are synthesized, analyzed and tracked to form a description of the attacker’s behavior pattern and attack cost, and finally form the profiling of the attacking organization.
After some information is shared and integrated, it can help organizations reconstruct a single kill chain and analyze the characteristics of attack tools, attack methods, attack sources, and attack targets. There is also information that provides guidelines for dealing with certain types of threats or attacks. Sharing this information enables organizations to learn from each other and improve security.
In early 2015, Microsoft Corporation of the United States released “A framework for cybersecurity information sharing and risk reduction” (A framework for cybersecurity information sharing and risk reduction).. In the Framework, cybersecurity information available for sharing can be divided into the following seven categories:
Incidents: Details about a successful or attempted cyber attack, including information lost, techniques used in the attack, attack intent, impact, etc. Security incidents can range from a successfully blocked attack to an attack that creates a serious national security crisis.
Threats (threats): including things that are not well understood but can lead to potentially serious impacts; Indicators of Compromise (IoC), such as malicious files, stolen email addresses, affected IP addresses, malicious code samples; Information about threat actors. This type of information helps spot security incidents, learn from attacks, create solutions, and more.
Vulnerabilities: Vulnerabilities in software, hardware, and business processes that can be exploited maliciously.
Mitigations: Includes methods for patching vulnerabilities, blocking or containing threats, and responding to and recovering from security incidents. Such information typically comes in the form of vulnerability patches, antivirus software upgrades, directions to remove malicious actors from the network, etc.
Situational awareness: This information includes real-time telemetry of exploited vulnerabilities, active threats, attacks, as well as attack targets, network conditions, etc., and can help decision makers respond to security incidents.
Best practices: Information on the development and deployment of security products and services, including security controls, time-to-response processes, software vulnerability fixes, and more.
Strategic analysis: Synthesize, refine, and analyze information from all sources to build metrics, map trends, and make forecasts to help government and private sector decision makers prepare for future risks.
Basic Model of Secure Information Sharing Network
“Network Threat Information Sharing Guide” gives three basic structures of security information sharing network: centralized, peer to peer, and hybrid.
In centralized mode, the center receives security information from endpoints, after synthesis, analysis, and then transmits the results back to the endpoints. Generally speaking, centralized centers need to have strong information storage, processing, processing, and analysis capabilities in order to meet the changing needs of information sharing networks. The disadvantage of this model is that the entire information sharing network relies on the center as a safe information exchange hub. If the center is delayed in information processing or even encounters a security incident, the function of the entire information sharing network will be greatly reduced and may be completely paralyzed. .
In peer mode, each endpoint autonomously pushes network security information to other endpoints, or broadcasts directly to the entire information sharing network. Since there is no information exchange center, the peer mode puts forward higher requirements on the security information receiving and analysis capabilities of each endpoint.
Hybrid is a combination of centralized and peer-to-peer. When each endpoint sends security information to the center, a direct information sharing channel is also established between endpoints.
Another fundamental problem in building a secure information sharing network is the choice of automatic sharing mode and manual sharing mode. In the manual sharing mode, the organization assigns special personnel to be responsible for the sending, receiving, and analysis of security information. The disadvantage of this mode is that human factors constitute the bottleneck of the information sharing network, such as human-induced errors, which cannot be used for real-time, continuous, and high-intensity information transmission, reception, and security configuration updates.
The automatic sharing mode requires that each endpoint of the information sharing network adopts a unified information transmission format, installs sensors for collecting security information, a monitoring system that can receive early warning information, and a security mechanism to avoid leakage of sensitive security information. The automated sharing model overcomes the limitations caused by the human factor, but its high degree of automation also leads to the risk of cyber-attacks.
Removing the top three barriers to the functioning of secure information sharing networks
The above describes the rise of collaborative security concepts, the benefits brought by security information sharing, the classification of shared security information, and the basic structure and information transmission methods of shared networks, which are mainly abstract and theoretical descriptions.
Now let us enter the complicated reality and explore how to establish an effective, sustainable and orderly security information sharing mechanism. From the design on paper, to the system construction in reality, to the information sharing network of the operation process, it is mainly to eliminate the three obstacles in the operation.
One of the obstacles: the discovery ability of members
Obviously, network security incidents cannot be discovered, and subsequent analysis and sharing will be impossible. If the members in the information sharing network have an obvious difference in their ability to discover security incidents, it will directly lead to most of the shared information, mainly provided by members with strong discovery ability unilaterally. In the long run, the value and sustainability of information sharing networks will be greatly reduced. Therefore, in the establishment of an information sharing network, it is often necessary to put forward certain requirements for the members of the network to have certain security event discovery capabilities.
The ability to detect security incidents alone is not enough. If some members deliberately conceal the discovered security incidents and do not share relevant information, taking into account the cost and risks of sharing, the problem of “free-riding” cannot be solved.Therefore, the information sharing network also needs to take certain measures, either through incentives (incentives) or through mandatory (mandates) means,solve this problem.
The second obstacle: the analytical ability of members
If the members in the information sharing network just share all kinds of information related to security incidents without any analysis, it will obviously cause the problem of excess information in the entire shared network. In the face of a large number of “noises”, information recipients need to filter and analyze by themselves. While the workload is greatly increased, there are few “gains”. Such information-sharing networks will eventually be unsustainable. Therefore, many information sharing networks require members to analyze security incidents first; some information sharing networks also specifically list several types of questions to guide the analysis of security incidents:
Impact of security measures
What security measures are used in the event of a security incident on the system, and why are these measures insufficient to protect against threats?
What security measures might protect against this threat?
After a security incident, what adjustments have the system made to security deployment and defense?
The root cause of the intrusion and third-party factors
What factors in the system’s software, hardware, and services (eg, configuration or vulnerabilities) make the intrusion successful?
Was there a third-party factor that made the intrusion successful?
Losses caused by security incidents and follow-up cleanup
What was the cost of the security incident (money, information leakage, service interruption, etc.)?
What kind of stop loss measures were used?
It should be pointed out that the results of analysis of all these problems are not meant to be shared. Because the answers to many of these questions often contain members’ trade secrets or other private information. The significance of listing these questions is that after a security incident occurs, members should try to analyze these aspects, get preliminary answers, and then share some of the conclusions with other members. As for which information needs to be shared and which information can be retained, it is mainly based on the purpose of the information sharing network and the mutual agreement among the members of the information sharing network.
Obstacle #3: Shared Risk
Sharing network security information, to a certain extent, discloses security information about the organization to the outside world, and there are various risks. An example is as follows:
Risk of reputational and financial damage: Being hacked is inherently disgraceful. It’s good to be protected, but if you don’t, you have to share the relevant situation, like a family scandal. If this information is leaked outside the information sharing network, the whole society will know that the reputation of the organization will suffer a great loss, and it may also cause the stock price to fall;
Risk of being sued or being held accountable and punished by the competent authority: Knowing that the outside world failed to prevent hacker attacks, causing economic losses or information leakage, it may be prosecuted by the relevant rights holders;
The risk of leaking internal security deployments: Those with ulterior motives can reverse-infer from the shared network security information, thereby mastering the internal security mechanisms and deployments of the organization;
Risk of leaking intellectual property and business information: The shared network security information may contain the organization’s business secrets, intellectual property and other information;
Risk of violating the privacy protection of customers and users: If the network security information contains the personally identifiable information of customers and users, communication information, etc. held by the organization, sharing it may cause customers and users to think that the organization violates the information protection agreement and violates the information protection agreement. their privacy.
There are risks in sharing information with government authorities: first, government authorities may be held accountable or punished for failing to fulfill their security protection obligations; secondly, customers and users are reluctant to government departments to master their information; thirdly, sharing government information May be subject to government information disclosure requirements and open to the public.
Risks of violating relevant laws and regulations: For example, the Anti-Monopoly Law stipulates that “operators reach a monopoly agreement”, and the behavior of organizations sharing network security information may be regarded as monopolistic behavior, which will lead to investigation by anti-monopoly agencies.
The risk of secondary use of security information: once security information is shared, it leaves the organization’s control; there is no guarantee how the party who obtains the information will use the information; how competitors will use the information is more difficult to guard against.
Risks of dubious information authenticity: Organizations may worry that even if they overcome these risks and share cybersecurity information with others, will other organizations do the same? Do they intentionally provide wrong information?
Risk of national secret leakage: The government shares its cybersecurity information with organizations. If the information spreads out of control, it may lead to national security risks.
These objective legal, reputational, and operational risks, to a large extent, lead organizations (or government departments) to hide and conceal information about security incidents, thus hindering the sharing of cybersecurity information.
How Real-world Safe Information Sharing Networks Overcome Obstacles
Summarizing the practice, we can roughly see that there are four types of information sharing networks: member-driven, data-driven, event-driven, and risk-driven.
Member-driven: such as the US Information Sharing and Analysis Center (ISAC) covering critical industries and critical infrastructure sectors, including financial services, communications, power, emergency services industries, healthcare and public health, information technology, maritime, mass transit, education , supply chain, transportation, water conservancy and real estate. The members of each ISAC are mainly from the same industry.
Data-driven: For example, a network that uses a uniform transport format or tool to automatically share cybersecurity information. A typical example of this type is the Cybersecurity Risk Information Sharing Program (CRISP) operated by the US Electric Power Industry Information Sharing and Analysis Center (ES-ISAC). In this program, ES-ISAC helps participating members install sensors in their respective networks. The sensors automatically transmit the encrypted data to the U.S. Department of Energy’s Pacific Northwest National Laboratory (PNNL). After analyzing the data, PNNL issued an early warning to members participating in ES-ISAC and shared mitigation measures.
In this example, ES-ISAC helps participating members install unified sensors, which first ensures that each member has roughly similar security incident detection capabilities; second, all data is unified by the Pacific Northwest National Laboratory under the US Department of Energy. analysis, it also overcomes the obstacles of members’ different analytical capabilities; at the same time, ES-ISAC adopts a centralized information sharing network, and the laboratory under the government department acts as the center of the network, and the center desensitizes the information. To a large extent, members who encounter security incidents face risks such as reputational and economic damage, and leakage of internal security deployments.
Event-driven: This type of information-sharing network is primarily established to solve a specific issue or problem. What all members of the network have in common is that they all face the same problems. For example, the information sharing network formed to solve the Millennium Bug problem.
This type of information sharing network only focuses on a single topic or issue, with members of different sizes, different industries, and relatively loose organization, so it does not require high members’ discovery and analysis capabilities, and the scope of information shared in the network is limited (mainly around a specific issue or issue). These characteristics cause little obstacles for information sharing networks, and on the other hand, also determine that such information sharing networks play a relatively limited role.
Risk-driven: This type of information sharing network is built around security research for a specific system or ecology. Members in a shared network come from a particular system or ecology. For example, the information sharing network specially established for the network security of smart cars, the members of the network can come from all aspects related to smart cars.
Similar to the event-driven information sharing network, this type of information sharing network faces little barriers to information sharing. The members share a certain system or ecological loopholes, attack methods, etc., and the shared information is relatively simple. The main risk involved is that the shared information may reveal intellectual property and commercial information, and organizations that actively share can avoid this risk to a large extent through further self-censorship. (over)