President Obama recently announced initiatives to improve cybersecurity through information-sharing, and the House just passed two bills to address this issue. But is information-sharing enough to keep companies and government institutions safe from threats in cyberspace?
Martin Libicki, senior management scientist for the RAND Corporation, recently testified on the subject before the House Homeland Security Committee. Libicki explained that information-sharing can and should be an important element in efforts to ensure that defenders learn from each other faster than attackers learn from each other, and the fact that attackers do learn from each other is a finding from research that RAND conducted for a report released last year on cybercrime markets.
However, the current legislative proposals represent an enormous amount of political energy dedicated to what is actually a narrowly focused solution to the problem of cybersecurity. Instead, a much broader approach is required. The usefulness of threat-based information-sharing rests on assumptions about the nature of the threat itself:
- A sufficient share of all serious attacks comes from specific black-hat hacker groups and each carry out enough attacks over a period of time so that their modus operandi can be characterized.
- Each attacker group generates a consistent set of signatures that recur in multiple attacks (and that can be used reliably by defenders to distinguish their attacks from benign activity).
- These signatures are detectable by organizations interested in sharing.
- Such signatures will not evolve (enough) over time—even if information-sharing became so widespread that the failure to evolve would make it too hard for hacker groups to penetrate and compromise networks.
Such assumptions would have to be largely or totally true before the value of establishing an information-sharing apparatus can justify the effort to operate it, persuade organizations to contribute to it, and offset the residual risks to privacy that such information transfer may entail.
So while information-sharing can address some issues, policymakers might consider other options such as bug bounty programs or isolation standards for critical physical infrastructure. Unfortunately, quelling the nation's cybersecurity problems is a complex, multi-faceted endeavor not subject to a silver bullet.
Sharing Information About Threats Is Not a Cybersecurity Panacea »
Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar »
Other RAND research on information security »