Archive for the ‘Information Sharing’ Category

The Importance of Effective Information Sharing

January 29th, 2015 No comments

SCharney2 012815

This week, I testified before the U.S. Senate Committee on Homeland Security and Governmental Affairs at a hearing on “Protecting America from Cyber Attacks: the Importance of Information Sharing.” It was good to see that the committee’s first hearing of the 114th Congress focuses on cybersecurity issues generally, and information sharing in particular, and I’d like to summarize the key points of my testimony.

There is no doubt that cybersecurity is an important issue for America, other nations, the private sector, and individuals. In an effort to better understand and help address the challenges we face, I regularly engage with government leaders from around the world, security-focused colleagues in the IT and Communications Sectors, companies that manage critical infrastructures, and customers of all sizes. From those interactions, I have concluded that cyber-attacks have joined terrorism and weapons of mass destruction as one of the new, asymmetric threats that puts countries, corporations, and its citizens at risk.

With global threats, global actors, and global networks, no one organization – public or private – can have full awareness of all the threats, vulnerabilities, and incidents that shed light on what must be managed. There is no doubt that sharing such information can and has protected computer users and increased the effectiveness of the security community’s response to attacks. For example, in 2009, the Conficker Working Group came together to share information and develop a coordinated response to the Conficker worm, which had infected millions of computers around the world. After the working group developed a mitigation strategy, Information Sharing and Analysis Centers (“ISACs”) were mobilized, company incident response teams were activated, government responders were engaged, and the media reported as milestones were reached and services were restored. The challenge was addressed, and quickly.

Why is it, then, that after 20 years of discussion and proof of effectiveness, information sharing efforts are viewed as insufficient? The short answer is that while there are success stories, it is often true that those with critical information are unable or unwilling to share it. They may be unable to share it due to law, regulation, or contract, all of which can create binding obligations of secrecy and expose a company to legal risk if information is shared. Even when those restrictions permit sharing pursuant to authorized exceptions, legal risks remain, as parties may disagree on the scope of the exception. There are also non-legal, non-contractual risks; for example, a company that discloses its vulnerabilities may suffer reputational risk, causing both customers and investors to become concerned. It may even suggest to hackers that security is inadequate, encouraging other attacks.

With all these challenges in mind, we believe there are six core tenets that must guide information sharing arrangements:

1. Information sharing is a tool, not an objective.

2. Information sharing has clear benefits, but poses risks that must be mitigated.

3. Privacy is a fundamental value, and must be protected when sharing information to maintain the trust of users – individual consumers, enterprises, and governments – globally.

4. Information sharing forums and processes need not follow a single structure or model, and governments should not be the interface for all sharing.

5. Government and industry policies on information sharing should take into account international implications.

6. Governments should adhere to legal processes for law enforcement and national security requests, and governments should not use computer security information sharing mechanisms to advance law enforcement and national security objectives.

Information sharing has and does work. But it works because the parties see that the benefits (better protection, detection and response) outweigh the risks. History also teaches, however, that information sharing tends to work best when those involved trust each other to respect informal and sometimes formal agreements (e.g., non-disclosure agreements) on information use and disclosure.

The two most important things Congress can do are (1) ensure that the information sharing arrangements that are working effectively are left undisturbed; and (2) encourage additional information sharing by providing protections for shared information and addressing risks posed by information sharing, including privacy risks.

You can read my full testimony here.

Putting Information Sharing into Context

January 27th, 2015 No comments

Putting Information Sharing into Context: New Whitepaper Offers Framework for Risk Reduction

The nearly incessant drumbeat of cybersecurity incidents over the past weeks and months has brought about renewed interested in information sharing across the technical and political spheres. For example, earlier this month the White House proposed legislation to encourage information sharing which President Obama also referred to in his State of the Union address. When it comes to cybersecurity, the right information exchanged or shared at the right time can enable security professionals and decision makers to reduce risks, deflect attacks, mitigate exploits and enhance resiliency. In this case, forewarned really can mean forearmed.

Information sharing is not a novel idea. A number of initiatives around the world have been in place and working successfully for some time. For example, here at Microsoft we have a program in place that gives security software providers early access to vulnerability information so that they can provide updated protections to customers faster. From this and other programs of various sizes we have learned that despite the increased focus on collective action from both private practitioners and policy makers around the world, effective information sharing is not an easy undertaking. It requires clear definitions and objectives rather than solely words of encouragement, or mandatory requirements. Furthermore, it is all too often viewed simply as a goal in and of itself rather than as a mechanism for improving security, cybersecurity assessment, and risk management. Finally, and from the public-private partnership perspective most pressingly, information sharing can quickly expand into controversies involving originator control, trust, transparency, privacy and liability.

To help put this complex issue into context, today we are releasing a new white paper: A framework for cybersecurity information sharing and risk reduction. Leveraging Microsoft’s decades of experience in managing security for our products, infrastructure, and customers, the paper provides a taxonomy for information exchanges including types, actors, and methods. We believe that understanding how to incentivize information sharing and how to better harness the practice for risk reduction can help move policy and strategy debates forward and support better defence of cyber assets and infrastructure. The paper concludes with a discussion of best practices and seeks to lay the groundwork for a more formalized, collaborative approach to information sharing and implementing exchanges through a set of recommendations. I hope that it can serve as a relevant and timely guide for anyone with responsibility for developing new ideas and solutions for information exchanges.

Information Sharing Infographic