Security executives at the RSA Conference in San Francisco urge organizations to openly share information about their cyber-threats in real time.
By Tony Kontzer
While controversy has long swirled around the proposed Cyber Intelligence Sharing and Information Act that was recently re-introduced in Congress, the information security community has no doubts that the time to share information on cyber-threats is here.
During a panel discussion at the RSA Conference at San Francisco's Moscone Center last Wednesday, top security executives agreed that corporations, which have largely shied away from sharing any information about their vulnerabilities, need to open up as never before. And, they said, it’s not going to be easy to make it happen.
"When IT security people say they're all for sharing, what they mean is, 'Give me your stuff,'" said Mike McConnell, the former director of the National Security Agency and current vice chairman of consulting firm Booz Allen Hamilton.
What's more, McConnell said, the corporate security community typically balks at proposed legislation because of privacy concerns and a desire to avoid more regulatory oversight. But whether sharing is enforced through legislation or happens as a result of an effort by industry, corporations are going to have to warm up to the idea of handing over cyber-threat data to their peers and even their competitors.
"Information sharing is all about trust," said Anish Bhimani, chief information risk officer for financial services giant JPMorgan Chase. "Someone has to be willing to say, we'll go first."
Sam Phillips, vice president of corporate security for BlackBerry, took it one step further. "If you're trying to hold [threat information] to yourself, you're never going to be successful" in your cyber-fighting efforts, Phillips said. "Until you get the trust going, and you get the sense of 'I'll go first, and I'm willing to share,' none of this stuff works."
For companies that can't stomach moving so quickly with sharing such sensitive data, Gary Warzala, CISO for Visa, suggests they start sharing with established partners and other companies with whom they have relationships. "It's survival, and we really are dependent on each other," said Warzala. "We're all in this together."
Mere sharing won't be enough, McConnell said. It has to happen at Internet speed, especially as threats coming from abroad continue to grow exponentially. Which also raises the specter of needing to share cyber-threat data globally, something McConnell insists the U.S. is behind on.
"If we get to the point where we need to worry at a higher level and can't share at the speed of the Internet," said McConnell, "that raises serious problems."
In a keynote address later in the day, Mike Fey, worldwide CTO for McAfee Inc., agreed that speed is of the essence in a field that's tended to rely heavily on historical views of threat data. The more real-time the data, said Fey, the more valuable it is in fending off threats.
"If you find yourself in a bar fight, you want to find out you're in it as early as possible," he told a hall packed with thousands of security pros. "That's the interactive phase; that's when you can do something about it."
Still, even if there's widespread sharing happening in real time, or at least near-real time, just sharing raw data won't have the desired impact. A threat report, Fey said, have to be accompanied by contextual data, required administration rights, the nature of the content, and the potential risks posed by the threat.
Daunting as it all sounds, the solution is closer than many realize, according to Fey.
"We can deliver this as an industry," he said. "We totally can."