Put Up or Shut Up
By User701213-Oracle on Aug 17, 2012
One of the (usually) unfortunate concomitants of being a veteran in the cybersecurity space (“veteran” as in, I can remember when everyone called it “information security”) is that you get to hear the same themes over and over again (and solve the same security problems over and over again, only with different protocols).* Not to mention, you experience many technical revival meetings, which is industry’s way of promoting the same old same old under new exhortations (“Praise the Lord! I found eternal life with <insert sexy technology cult du jour>!”)
One of the topics that I am tired of talking about and would like us collectively to do something about is (drum roll) information sharing. Now, information sharing is not a cure-all for every ill in cybersecurity. It is a means to an
end, not an end in itself. Specifically, information sharing is a means to enhance situational awareness, which in turn helps networked entities defend themselves better (“Excuse me, I see a mugger is about to swipe your purse. You might want to hit him with it or switch it to your other shoulder.”)
As a basic enabler of better defense, information sharing is certainly a no-brainer, and yet it largely doesn’t happen, or doesn’t happen enough, at least among the good guys. The bad guys, of course, are really good at information sharing. Techniques, tools, top ten lists of badly secured web sites – bring it on, woo hoo. The hacker toolkits are so good now that even someone as technically challenged as I am could probably become a competent Internet evildoer (not that I have any plans to do so). And yet industry and government have spent more time writing tomes, doing PPTs and drafting policy papers that use the magic words “public-private partnership” than making actual – make that “almost any” – progress. Sharing policy papers, I hasten to add, is not the kind of information sharing that solves actual problems. So here it is, all y’all: time to put up or shut up on information sharing.
I say this in my experience as a member of the IT industry Information Sharing and Analysis Center (IT-ISAC) (OK, I am the current president, but I am not speaking for the IT-ISAC) and as a security weenie at Oracle. I can state pretty categorically that I have been astonished – and depressed – at what currently passes for information sharing, despite years of gum flapping about it. The government agencies that are tasked with it generally don’t do it, for example. I find it ironic that the same entities that can’t or won’t tell you you are being broken into – or are about to be – think in some cases that the better solution is for them to just take over protection of your company’s networks after you’ve being broken into. Huh?
More to the point, surprisingly, and delightedly, other agencies that are not tasked with information sharing (e.g., an entity I cannot name by name but that is not part of the Department of Homeland Security (DHS)) recently went to great lengths to contact the IT-ISAC and bring “interesting information” to the attention of the IT-ISAC because they’d seen suspicious activity related to some member companies. Bravo Zulu to you, Unnamed Government Entity. It was not your mission to share that information, but you made an effort and did it, anyway. I wish you'd make a hostile takeover attempt on the entity that is supposed to share information and doesn’t, probably because their lawyers are still mulling it over. If I sound harsh, consider that I have spent 10 years having the exact same conversations over and over and over and nothing seems to change except the people you are having the conversations with. To quote Yoda, “Do or do not. There is no try.”
Other government agencies may call you but you get mysterious intimations and in some cases nothing actionable. I certainly understand that a recipient doesn’t – and probably shouldn’t – receive information about how the reporter got the information (e.g., sources and methods). I know I don’t have a “need to know.” But the information has to be actionable or it’s useless. For example (and I know they meant well), I once got a phone call from Agency X who said, “we have a credible threat that an entity in Country Y (and We All Know Who That Is) is interested in stealing (only they used a more bureaucratic term) the source code for Oracle Product Foo.” Gosh, really? The only news there would be if that country were not out to rip off…er…steal…er…conduct industrial espionage…er…enhance their native manufacturing capacity by ‘active acquisition’… of someone else’s core intellectual property. The next statement was even less helpful: “The details about the threat are classified.” On the one hand, glad Agency X called. Points for trying. On the other hand, the warning was so vague it was not actionable and it certainly didn’t tell me anything I didn’t already know. I wish they’d saved the 35 cents that the call cost and used it to reduce our national debt.
So, the agencies that should share information don’t share much if anything and ones that do in some cases don’t give you information in enough detail such that you can do anything with it. And other good agencies do the right thing although they aren’t tasked with it. It’s not a great report card for the government (more on industry below, lest anyone think I am being one-sided in my criticism). Note that there are people across the political spectrum (and better security really should be an ecumenical issue) who, to their credit, have tried to pass legislation that would help provide “better information sharing” as one of several things we could do to help improve cybersecurity. “Better information sharing” seems a mom-and-secure-apple-pie proposition if ever there was one. Except that a bill that proposed that – and various other iterations of bills – did not pass and for now Congress has gone on vacation like so many of us do in August. There are many reasons why there hasn’t been a consensus cyber bill passed – and I’m not going to go into all that **– but for Pete’s sake, improving government information sharing with industry and vice versa really should be something everyone agrees on.
Another reason that even “kumbaya information sharing 101” couldn’t get a consensus was because of Privacy Concerns. You do wonder about people who are really happy telling intimate details of their lives on Facebook but don’t think the government should be able to receive information about anybody’s attempts to hack critical infrastructure. (Because that’s what we are talking about, not “sending information about the amount of time you spent visiting cutepuppiesandbunniesandduckies.com to the National Security Agency,” which, I am pretty sure, is truly not interested in that information – they have bigger evil fish to fry – and doesn’t view your bunny obsession as a national security threat.)
This is a good time to say that the type of information sharing I am talking about is the voluntary kind (though “highly encouraged” information sharing pursuant to a court order is also good – I’m nothing if not law-abiding). I have zero interest in handing over everything, including the digital kitchen sink, because someone decides they should get everything you have and only then figure out what they actually need. “Need to know” goes for the government, too.
Ergo, at a macro level, I’m glad there are people who are concerned and involved as regards digital privacy. But at the same time, I am frustrated because any time there is even a common sense proposal (legislative or otherwise) about information sharing, privacy hawks seem to come out of the woodwork and Express Grave Concern that either national security or homeland security agencies might actually get useful information from industry to enable them to do their national or homeland security jobs better. Or, God forbid, that industries under non-stop attack from bad guys (including hostile nation states intent on ripping us all off) might actually receive useful and actionable intelligence to help them close open digital doors and windows and keep vermin out. Wouldn’t that be awful?
Because I like analogies, I’d like to offer some perspectives from the real (non-cyber) world that will, at least, illustrate why I am so frustrated and want us to stop talking and start doing. I’d observe that in the physical world, we really don’t seem to have these Concerned Discussions,*** mostly because people understand that we live in communities and that we have a collective interest in making sure we have a secure commons. (Duh, it’s exactly the same issue in the digital world.) Here we go:
Scenario 1: I see a couple walking their dog on the street. They walk by my house and my neighbor’s house. The dog is a Labradope that barks incessantly and the owners don’t clean up after him. ****
Result: I might not like the fact the dog doo-dooed on the arctic willows I painstakingly planted, but this is not a national emergency and it’s not suspicious activity. I’ll clean up after the dog and be done with it. I’m not calling the Wood River Animal Shelter Dog Doo Hotline or the Ketchum Police Department Canine Crap Cop.
Scenario 2: I see someone attempting to enter a window in my neighbor’s house, at 7PM, when my neighbor has gone to the Sun Valley Symphony (they are playing Mahler, whom I don’t care for, which is why I am home instead of at the symphony).
Result: I’m calling the police. I’m also going to give the police as much information as I can about the person doing the B and E (breaking and entering) – what he looks like, how old, how he is dressed, etc. What I am not going to do is think, “Wait, I can’t provide a description of the breaker-inner because gosh, that might violate the perp’s right to privacy and bad taste in clothes. The police showing up when the criminal is doing a breaking and entering job is creating a hostile work environment for him, too.” If you are breaking into someone’s home, you do not have a right to privacy while doing it. Even realizing that there might be false positives (it’s the neighbor's kid, he locked himself out and is breaking into his own house), most of us would rather err on the side of caution and call the cops. We aren’t telling everyone on the planet about “attempted break-in on Alpine Lane,” but we are providing targeted information about a malefactor to the group (Ketchum Police Department) that can do something about it.
In short, if I am a decent neighbor, I should do what I can to protect my neighbor’s house. And as long as I am on the subject, if every house in the neighborhood has been broken into, I would like to know that before someone tries to break into my house. It would be nice if the police told me if there is a rash of B and Es in my neighborhood. (Given it’s a small town in Idaho and we have really good police department, I’m pretty sure they will tell me.)*****
This is what information sharing is, folks. It’s not telling everybody everything whether or not it is interesting or useful. The above examples all have “cyber equivalents” in terms of the difference between sharing “all information” and “sharing interesting information” – which is exactly what we are talking about when we speak of information sharing. There isn’t a neighbor in the world that is busy taping everyone walking dogs by their house (and don’t forget those close-ups of the Labrador committing indiscretions on your plants). Nobody cares about your incontinent Labrador. You share information that is targeted, of value, of interest and where possible, actionable. That’s true in the physical world and in the cyber world.
I’ve been doing a bit of government bashing regarding “failure of government agencies to share information.” Is it only fair that I also do some industry bashing, because information sharing is something some sectors do a lot better than others, yet it is something everyone could and should benefit from. Not to mention, I am mindful of the Biblical wisdom of “Physician, heal thyself” (Luke 4:23).
While the government can add value in information sharing, it is not their job to defend private networks, especially when the private sector – merely by virtue of the fact that they have more digital real estate – gets to see more and thus potentially has more information to share with their neighbors. Not to mention, industry cannot have it both ways. There is a lot of legitimate concern about regulation of cyberspace, mostly because so much regulation has unintended, expensive and often unfortunate consequences. This is all the more reason to Be A Good Cyber Citizen instead of waiting for the government to be the source of all truth or to tell you How To Be A Good Cyber Citizen. Industry participation in information sharing forums is a demonstration of voluntary sector cybersecurity risk management without the force of regulation. As I said earlier, “put up or shut up,” which goes just as much if not more for industry as for government.
While ISACs are not the only information sharing vehicles that exist, they were set up specifically for that purpose (in response to Presidential Decision Directive 63, way back in 1998). It’s a fair cop that some of the ISACs have done better at performing their mission than others. Not all ISACs are equal or even have the same mission. Still, each ISAC has its own examples of success and it is often difficult for those not participating in specific ISACs to see the value they deliver to members (to protect member information that is shared, most ISACs have non-disclosure agreements that prevent information from being shared outside the ISAC membership).
I’d specifically note that the multi-state ISAC and the financial services ISAC both seem to operate very well. There are, I think, many reasons for their success. First of all, the multi-state ISAC and the financial services ISAC have more homogeneity, for lack of a better word. A state is a state is a state – it’s not also a planet. (Except California and Texas, which often seem like Mars to the rest of the country. Bless their lil’ ol’ hearts.) This makes it easier to recognize the obvious benefit of cooperation. To quote Ben Franklin: "We must, indeed, all hang together, or most assuredly we shall all hang separately.” The financial services sector gets this really well: any perceived threat to an individual financial services company is likely to affect all of them, either because of the perception problem that a successful hack creates (“online banking is insecure!”) or because criminals like to repeat successes (to quote Willy Sutton when asked why he robbed banks, “that’s where the money is”). You can’t imagine a bad guy saying, “I’m only going to hack Bank of Foobaria because I don’t like that bank, but Bank of Whateversville is a really nice bank – they hand out dog biscuits – so I am not going to hack them.”
I think leadership is also a factor. I don’t know the originators and past presidents of the Financial Services ISAC, but Bill Nelson has done a tremendous job as the current President of the Financial Services ISAC. I also know Will Pelgrin at the multi-state ISAC and he is a very good, very skilled leader, indeed, and a generous colleague, to boot. Will has been gracious with his time and expertise to me personally in my role as the IT-ISAC president, and I am grateful for it.
While the IT-ISAC has a long list of accomplishments that it is justifiably proud of, the IT-ISAC also faces unique challenges. One of them is the nature of the ISAC and its constituency. The IT industry is less homogeneous than other sectors, including both “soup to nuts” stack vendors as well as security solution vendors that make a business out of sharing threat information. Being a die-hard capitalist, I don’t expect these companies to give away their secret sauce, plus French fries and a hot apple pie to avoid Ben Franklin’s collective hanging. While I think the diversity of the IT sector, the variance in business practices and the “not giving away the store” issues are real challenges to the IT-ISAC, they also provide real benefits. The IT-ISAC provides a forum for bringing together subject matter experts from diverse companies to engage on and discuss common security threats. The IT-ISAC is also moving from an organization focused on vendor vulnerabilities to one that assists members in understanding the rapidly-changing threat environment. For example, we have established a group within the IT-ISAC membership that has agreed to share threat indicator information with each other.
As President of the IT-ISAC, I am committed to doing what I can to try to expand membership, to find common ground (e.g., threat information that even security vendors feel comfortable sharing that benefits everyone, without expecting them to share secret sauce recipes), and finding ways to work with our counterparts in the public sector. I am not the first, and won’t be the last, IT-ISAC president, and I am blessed with an extremely capable executive director and with the generosity of colleagues on the Board. As I learned in my Navy days, I must do my best to steer a steady course to favorable shores.
Lastly, I think the biggest hurdle we in industry collectively need to get over is the trust issue. We seem to be more fearful of other companies than we are of being hacked by bad guys. (“If I share this information, will a competitor use it against me?”) Trust has to be earned, but it can be garnered by outreach and by making an effort to start somewhere. I think of a fine gentleman and public servant who has recently retired from NSA, Tony Sager. Tony was a public face of NSA in terms of working with industry in the information assurance directorate (IAD). He and his team did a lot of outreach: here’s who we are, here’s what we do, let’s talk. Tony did a lot of listening, too. I have said often that if I had a problem in a particular area, I’d not hesitate to call Tony and his team. They had the creds, they had the smarts, and they had earned – yes, earned – my trust. We in industry, who see most of the threats, who are so often the direct victims of them, should take a cue from Tony. Use our “creds” and our intelligence (of all types) to improve the commons. We can start by sharing useful, actionable, valuable information that will help all of us be more secure. It is often said the bad guys are a step ahead of the defenders. This is true with information sharing as well: the bad guys play nicely with other bad guys – so why can’t we good guys get along?
If you are sitting on the sidelines, it is time to get involved and engaged. Instead of sitting on the outside complaining that there is no effective way to share information, join an information sharing organization (I’m partial to ISACs), get involved in it, and help shape and move the organization so that it meets your needs. Just get on with it, already!
* The fact that technology changes but stupidity repeats endlessly is job security for security weenies. Rule number 1 of nformation security is “never trust any unverified data from a client.” Rule 2 is “see rule 1.” Most security defects stem from failure to heed rule 1 – and we keep doing it every time we introduce new clients or new protocols. The excuse for lazy-ass servers or middle tiers is always, “Gosh, it’s just so much easier to accept any old thing the client hands you because it is computationally intensive to verify it. And nobody would send evil data to a middle tier, would
they?” Right. Just like, think of all the cycles we’d save if we didn’t verify passwords. I’m sure if a client says he is John Doe, he IS John Doe! (Good luck with that.)
** Ok, I lied. One of the reasons various bills failed is because the bill drafters wanted “better security to protect critical infrastructure” but could not actually define “critical infrastructure.” If “it” is important enough to legislate, “it” should be clearly defined in the language of the bill, instead of subject to interpretation (and vast scope increase ex post facto). Just my opinion.
*** With the prospect of increased drone use in our domestic environs, we are going to have a lot more privacy discussions. What I barbecue in my backyard is none of anyone else’s goldurn business.
**** Ok, I know a lot of people love Labs. Apologies to anybody I offended.
***** Since I live a couple of blocks from the police, it’s pretty darn stupid of anybody to try to break into any house in the neighborhood.