Sharing of threat and viral information has benefited the healthcare industry, so the same can work in cyber security.
Speaking in the opening keynote at the Black Hat conference in Las Vegas, In-Q-Tel CISO Dan Geer said that he believed that cyber security has a dual purpose, for good or evil, but that dual use was inherent in security tools.
Moving on to mandatory reporting, Geer made the analogy between releasing information on diseases, and how much is learned and achieved from information sharing. He said that in an outbreak, data is stored and analytics are used by alert teams. “Everything else is details but what is fundamental is mandatory reporting of diseases,” he said.
“Would it help to have this for cyber security failures? For Government or non-Government entities, you should you face penalties if you do not share. There are 48 states do have mandatory disclosure and 46 of them require data breach reporting laws. The Verizon data breach investigations report (DBIR) said that 70-80 per cent of breaches were discovered by third parties, and not by the victim, so if you discover an attack do you have a mandate to report it? Diseases spread and malware is global, don’t think this is without complexity.”
Moving back to the pharmaceutical analogy, he said that drugs are not saleable until they are proven to be useful, and that delays treatment to those who need it. “The question is do you do it if everyone else has to and as long as everyone assumes the cost of it, and regulation of requirement to pass that cost along. You decide how much more straw you put on camel without breaking it,” he said.
He said that he has talked to common vulnerability and exposures teams, and they have “never failed to listen to something submitted to them”. Saying that there are a lot of silent failures, he said that you cannot hide an airplane crash but can hide a near miss. “The war council idea I think is a reaction to information sharing that might inform defence, but now we talk about sharing that information for offence and I think we have reached the point where a state level offence is not something we can manufacture a forcefield for,” he said.
“Sufficiently motivated attackers can break almost anything and they are getting better with better tools and people. Is the curve upward as an attack surface? It is upward as we are adding skills and techniques, but we are losing as we don’t know how to measure. We have the ability to do a stress test, but only after an event.”
He went on to say that the goal is no silent failure, but there is “rampant silent failure”, and that silent failure dominance is an indictment of failure. “Breach notification a great idea and if it is mitigated in state of security, we do not criminalise losing data.”