CyberWire Daily - Breaking the information sharing barrier.
Episode Date: September 16, 2024Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, turns over hosting responsibilities to Errol Weiss, the Chief Security Officer (CSO) of the HEALTH-ISAC and one of the original contribu...tors to the N2K CyberWire Hash Table. He will make the business case for information sharing. References: White and Williams LLP, Staff Osborne Clarke LLP , 2018. Threat Information Sharing and GDPR [Legal Review]. FS-ISAC. Senator Richard Burr (R-NC), 2015. S.754 - 114th Congress (2015-2016): To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes [Law]. Library of Congress. Staff, n.d. National Council of ISACs [Website]. NCI. Staff, 2020. Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 [Guidance]. CISA. Staff, 2023. Information Sharing Best Practices [White paper]. Health-ISAC. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
Hey, everybody.
We're back.
We're back.
In our own backyard.
We are back.
Welcome to Season 15 of the CSO Perspectives podcast.
And if I do say so myself,
the interns down in the Sanctum Sanctorum
have created something special for this season,
and I think you're really going to like it.
You all know that this show has a stable of experts
who graciously accept invitations
to visit us here at the N2K Cyber Wire hash table
in order to provide us and you some clarity about the issues we are trying to understand.
At least that's the official reason we have them on the show.
In truth, though, I bring them on to hip-check me back into reality when I go on some of my more crazier rants.
We've been doing it that way for almost four years now, and it occurred to me that these regular visitors to the hash table were
some of the smartest and well-respected thought leaders in the business. And in a podcast called
CSO Perspectives, wouldn't it be interesting and thought-provoking to turn the mic over to them for
an entire show to see what's on their mind? We might call the show Other CSO Perspectives. So
that's what we did. Over the break, the interns have been helping
these Hashtable contributors get their thoughts together
for an entire episode of this podcast.
So hold on to your butts.
Hold on to your butts.
This is going to be fun. My name is Rick Howard, and I'm broadcasting from the N2K CyberWire's secret Sanctum Sanctorum studios,
located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old U.S. of A. And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and
technologies that senior security executives wrestle with on a daily basis.
Errol Weiss is an old friend and a colleague of mine.
We've been working together and around each other for going on 20 years.
For the last six years, he's been the chief security officer at the Health ISAC
and has been one of the original contributors to the N2K CyberWire hash table from the very beginning.
For this show, he's going to make the business case for information
sharing, and there's nobody in the world more qualified to do it. He ran the SOC, the Security
Operations Center for the original financial sector ISAC, the FS-ISAC, immediately after
President Clinton started the ISAC program in 1999, and then served as an FS-ISAC board member
for over five years, and then later worked for
Citibank on, among other things, the bank's information sharing program. For those of you
doing the math at home, that's almost 25 years of experience doing cybersecurity information sharing.
Here's Errol. Thanks, Rick. It's really great to be here. In the quickly evolving cybersecurity
threat landscape,
sharing information between institutions is critical to improve defenses against increasingly sophisticated threats.
Cooperation between organizations can strengthen everyone's defenses,
but it's an approach that requires openness and transparency,
something that many organizations might be reluctant to do.
To a certain extent,
the reluctance is understandable. The decision to share information about incidents, vulnerabilities,
and best practices is often stymied by concerns over legal and compliance risks. In my experience,
legal counsel has been cautious about sharing information on cybersecurity, advising those
against sharing sensitive information because
of the perceived risks. Typically, lawyers only see the downsides of sharing such information.
Hey, if you're a lawyer, I'm sorry for the overgeneralization, but that's what I see
happening more often than not. However, this approach, though well-intentioned, often fails
to realize the bigger benefits that come from information sharing.
I know that info sharing can ultimately improve the resilience of your organization
and even improve security and resilience across the entire industry.
Collectively, businesses need to formulate strategies to share information about cybersecurity risks and breaches.
Sharing information about an incident helps people learn from others who
experience similar attacks, enabling organizations to recover faster and more efficiently. Companies
can share information that will help enhance the defense of other organizations, like information
about angles of attack, prevention and mitigation strategies, and a host of other things. Because in the long run, they'll be protecting themselves from future cyber threats.
The info sharing process starts with support from top-level management.
The C-suite, your top executives like the CEO, CFO, CIO, CISO, and others.
They all play a critical role in shaping an organization's approach around
cybersecurity. In the context of information sharing, the C-suite's role is pivotal in driving
the cultural and operational changes needed to transition from a risk-averse stance to one that
recognizes the strategic value of collaboration and information exchange. One of the most successful initiatives that C-suite
leaders can champion is participation in an industry-specific information sharing and analysis
center, or ISAC. ISACs were specifically designed to facilitate the trusted exchange of information
among critical infrastructure sectors, and they offer a trusted way to share information.
among critical infrastructure sectors,
and they offer a trusted way to share information.
The ISAC concept is a proven model that has stood the test of time.
In fact, the 25th anniversary of the first operational ISAC,
the Financial Services ISAC, is coming up in October 2024.
By opting into an ISAC, not only can organizations protect themselves, but they also contribute to the collective security of their entire industry. Through ISACs, the C-suite can
lead the change in fostering a collaborative approach to cybersecurity,
one that transcends individual organizational boundaries and builds a
stronger, more resilient defense against the ever-evolving threat landscape.
Cyber threats are not isolated incidents.
They often follow patterns and repeatedly exploit common vulnerabilities across the internet.
When one organization falls victim to an attack,
the lessons learned there can be invaluable
to others facing similar threats.
Information sharing can preemptively strengthen defenses, improve incident response, and foster a collaborative approach to cybersecurity across sectors.
Despite these benefits, many companies hesitate to share information due to the perceived legal risks.
Many companies hesitate to share information due to the perceived legal risks.
This reluctance stems from fears of liability, reputational damage,
or inadvertently disclosing sensitive information that could be exploited against the firm.
They also might view sharing information as giving away a competitive advantage. But at the end of the day, in general, organizations don't compete against each other on security.
Instead, the failure to share critical insights can have far-reaching consequences, not just for the individual companies, but for entire industries.
Said another way, bad security for one organization is bad security for the entire sector.
sector. Just as an example, when I worked in the finance sector during the early days of online banking, we all realized that an incident at a major bank could erode public trust, so we had
an incentive to protect each other. On the other hand, embracing information sharing within and
across industries can provide compelling advantages, particularly in the context of cybersecurity and risk management.
Number one, enhanced risk management. Sharing information about emerging threats and
vulnerabilities allows organizations to stay ahead of potential attacks. By receiving early
warnings and intelligence from peers and industry groups, companies can implement preventative
measures before they
become a target. How about that? Now that's a protective approach that can reduce the likelihood
of successful attacks and minimize damage. How cool! When organizations share information about
cyber incidents and breaches, they also benefit from collective intelligence. The shared knowledge
can lead to better incident response strategies, faster identification of attack patterns, and
improved remediation efforts. A well-coordinated response informed by
real-time information can significantly reduce the impact of an incident. Also,
shared intelligence creates a broader perspective on the evolving threat
landscape.
By pooling resources and insights, organizations can identify trends and patterns that may not be apparent when operating alone in isolation.
This collective understanding enables more accurate threat modeling and forecasting, allowing organizations to anticipate and prepare for future attacks much more effectively.
Number two, cost savings and resource efficiency.
Information sharing often involves exchanging not just threat intelligence,
but also tools, techniques, and best practices.
The shared knowledge can lead to cost savings as organizations can leverage community resources like security
frameworks, automated detection rules, and incident response templates. By collaborating on the
development and refinement of these items, you can avoid duplicating efforts and reduce the overall
costs of maintaining robust cybersecurity defenses. When you work in isolation, you're more likely to
duplicate efforts in threat research,
vulnerability assessments, and mitigation strategies. What I mean by all of that is that
when we learn about a new threat, the security teams at each company are working independently,
coming up with their own threat analysis and mitigation plans. However, if we work together
and crowdsource the solution as a whole, we're not only more efficient, but I'll bet we even have a better solution at the end.
By sharing information, organizations can consolidate their efforts, focusing on addressing unique challenges, and benefit from collective expertise.
Number three, compliance and legal benefits.
Number three, compliance and legal benefits. Many industries are subject to regulatory requirements related to information sharing and cybersecurity. Although some may perceive information sharing as a compliance risk, fearing that sharing sensitive information could expose them to legal liabilities, participating in information sharing initiatives is actually a way to ensure compliance.
Regulations often require companies to stay up to date on the latest cyber threats and best practices. And sharing information helps organizations do exactly that. By staying
informed and sharing insights with industry peers and regulators, organizations can better
protect themselves from breaches that could lead to
non-compliance. In fact, information sharing demonstrates a proactive approach to risk
management, which can strengthen an organization's compliance posture and reduce the likelihood of
regulatory penalties. A transparent, collaborative approach to cybersecurity can provide legal
protection by showing that an organization is
actively taking steps to meet its regulatory obligations. As a side note, being transparent
during an incident and sharing with the community can also go a long way in improving public trust.
Organizations with mature information sharing processes follow frameworks and guidelines that help them navigate
legal complexities. By sticking to these established practices, organizations can mitigate
legal risks and avoid potential pitfalls associated with information sharing. So what am I talking
about? Here's an example of an information sharing governance structure. You define the types of information your organization will share.
You decide who you'll share that information with.
And then you determine who in their organization has the ability to release that information.
Get the buy-in on this from senior leadership and your internal counsel and you're golden.
There's a great example of this governance model in the InfoSharing Best
Practices white paper. I've included a link to the white paper in the show notes. This structured
approach ensures that information is shared responsibly on behalf of your firm and in
accordance with legal requirements that you've established with your own internal counsel.
Number four, innovation.
Collaboration and information sharing can drive innovation,
not only in cybersecurity tactics,
but also in the development of novel products and services and best practices.
When organizations exchange information about operational procedures,
they often gain insights into more efficient ways of doing things.
Plus, you can learn about emerging technologies and market trends that extend beyond cybersecurity.
This new shared knowledge can lead to improved business processes and better buying decisions.
It can even inspire new product ideas or service offerings.
For example, a company might learn about new software tools or automation techniques
through information sharing networks. These could lead to being adapted and repurposed to create
innovative products or services that can enhance their market offerings. This blending of shared
intelligence and resources accelerates the organization's ability to innovate, not just
in how they protect their assets, but in how they grow
their business and remain competitive in a dynamic market.
And lastly, number five, professional development.
Not only is there a benefit for organizations to improve cybersecurity by participating
in information-sharing networks, you as an individual can benefit too through personal
and professional development and through the satisfaction of giving back to the community.
There's so much to learn from others in the community, technical knowledge, best practices,
and even leadership techniques. And I'm talking about knowledge that helps improve you,
and it's something that you get to keep forever. So often I hear people
say that they get much more out of information sharing than what they put into it. It becomes
addictive and in a good way. As an example, when I was at Citibank, I was on the front lines when
other banks were sharing information about serious incidents that they were experiencing.
I saw good examples of how people behaved through an incident
and some not so great examples. I admired those that remained cool and calm under pressure
while leading the charge through the incident, and I learned from them.
I learned behaviors that I know helped me improve personally and professionally. Despite the clear business case for information sharing,
there are unfortunately some real and perceived legal and compliance challenges that prevent
sharing information about cybersecurity incidents. These challenges span various domains and include legal and regulatory complexities,
risks of exposure and misuse, trust issues, technical barriers, and cultural and organizational
obstacles. I'm going to talk about each one of those. Here's the first one. For legal and
regulatory complexities, one of the most significant challenges to information sharing are the legal and regulatory requirements. Organizations operate under a variety of laws, rules,
and regulations that govern how they handle and share sensitive information. For instance,
data protection regulations like the General Data Protection Regulation, or GDPR in Europe,
imposes strict requirements on the sharing of personal data.
Not all is lost, though, for info sharing, and there are allowances within GDPR that provide
for information sharing. In fact, the FSI SAC published a white paper on this issue back in
2018. I've got a link to the paper in the show notes. In the U.S., closer to home, the Cyber
Security Information Sharing Act of 2015
encourages public and private sector information sharing and provides for liability protection as
well. Again, see the show notes for the link to that paper. It's really not that difficult,
so long as you ensure that any information shared with others complies with these regulations.
Anonymizing data is a powerful and
effective way to avoid problems here, but in reality, the types of information shared to help
protect the community often contain zero sensitive personal information. So we're really just talking
about some edge cases that can be covered by a decent info-sharing governance structure.
I've talked about how to do that before. See the info-sharing best practices paper. There's a link there in the show notes.
So back to the legal perceptions. The failure to comply with the privacy regulations can result
in severe penalties, making the lawyers and senior leadership hesitant to share information, even when it could benefit
the broader community. The lack of harmonization between the laws in different jurisdictions
further complicates cross-border info sharing because what's allowed in one country may not
be allowed in another. Regulatory bodies might impose restrictions on the types of information
that companies can share, especially when it involves national security issues or the protection of intellectual property.
These restrictions can create uncertainty and fear of noncompliance,
again deterring organizations from participating in information-sharing initiatives.
The complexity of navigating these legal landscapes
often requires organizations to invest dollars in legal counsel and compliance experts.
That only adds to the cost and effort involved just to get started in information sharing.
And there's still the fear that you might get into a legal snafu if the information shared is deemed inaccurate or misleading.
Then come the potential lawsuits. This can be
exacerbated in jurisdictions with strict liability laws where organizations can be held accountable
for their consequences of the information that they share, regardless of their intent.
As a result, many organizations adopt an ultra-conservative approach, sharing nothing or the bare minimum that's required by
law. Hey, and let's be honest, that level of sharing is not effective at all.
Number two, risk of exposure and misuseuse When organizations share sensitive information, they run the risk that the data could be leaked, and worse yet, used against them.
The last thing anyone wants to see is their sensitive info published openly on the internet, social media sites, or even in the news.
For example, sharing details about a recent cyber attack could inadvertently disclose the vulnerabilities that have not yet been fully mitigated. That risk is especially highlighted when
companies are sharing information with third parties that may not have the same level of...
And that's our show. Well, part of it. There's actually a whole lot more, and it's all pretty
great. So here's the deal.
We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity. If you want the full show,
head on over to the cyberwire.com slash pro and sign up for an account. That's the cyberwire,
all one word, dot com slash pro. For less than a dollar a day, you can help us keep the
lights and the mics on and the insights flowing. Plus, you get a whole bunch of other great stuff
like ad-free podcasts, my favorite, exclusive content, newsletters, and personal level-up
resources like practice tests. With IntuK Pro, you get to help me and our team put food on the
table for our families, and you also get to be me and our team put food on the table for our families,
and you also get to be smarter and more informed than any of your friends.
I'd say that's a win-win.
So head on over to thecyberwire.com slash pro and sign up today for less than a dollar a day.
Now, if that's more than you can muster, that is totally fine.
Shoot an email to pro at intuk.com and we'll figure something out.
I'd love to see you on N2K Pro.
One last thing, here at N2K,
we have a wonderful team of talented people
doing insanely great things
to make me and this show sound good.
And I think it's only appropriate
you know who they are.
I'm Liz Stokes.
I'm N2K's CyberWire's Associate
Producer. I'm Trey Hester, Audio Editor and Sound Engineer. I'm Elliot Peltzman, Executive Director
of Sound and Vision. I'm Jennifer Iben, Executive Producer. I'm Brandon Karf, Executive Editor.
I'm Simone Petrella, the President of N2K. I'm Peter Kilby, the CEO and publisher at N2K.
And I'm Rick Howard.
Thanks for your support, everybody.
And thanks for listening. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.