WASHINGTON: As hard as it is to figure out how to share cybersecurity information within the US — just look at Congress’s recent failure to legislate on the subject — it’s even harder to do internationally.
“We’re all pulling together because we have to,” Maj. Gen. Mark Bowman, the US Army officer who is now chief information officer for the Joint Staff, said at the ComDef 2012 conference at the National Press Club. “The value of cybercrime today is close to eclipsing the value of the illegal drug trade.”
But pulling together globally is even more daunting than domestically. “Everywhere I go, I hear that information sharing is key,” lamented Andrea Rigoni, director of the Italian non-profit Global Cyber Security Center, but in practice, he almost never sees it happen — at least, not outside the relatively narrow context of the NATO defense sector.
There’s a Catch-22 at work: “Most of the intelligence agencies are not able to share meaningful data with the private sector unless it’s classified, but for the private sector classified data is useless,” Rigoni said. Even if a company’s cybersecurity officer is cleared, he or she can’t share it with the uncleared executives who have to make crucial decisions, like investing in new anti-virus defenses or taking a threatened network offline. As a result, said Rigoni, “our enemies are exploiting the fractured [approach] we have in most organizations.”
“The seams [between organizations] will be exploited by the bad guys,” agreed Canadian Maj. Gen. David Neasmith, an Afghanistan veteran who now heads information management on the Canadian joint defense staff. Cybersecurity officers can build upon the well-established procedures for sharing sensitive information both with NATO and among the so-called “five eyes,” an Anglophone intelligence-sharing consortium linking the US, Britain, Canada, Australia, and New Zealand that dates back to World War II.
But old-fashioned information-sharing between humans is not enough: To keep up with the pace of the web, there needs to be automated exchange of data between computers, without waiting for a human to approve it. In that sensitive area, Neasmith said, “it’s not going to be easy to set up a protocol.”
Anyone see the opportunity here for a NATO STANAG?