Ransomware epidemic prompting firms to rethink information sharing
The surge in ransomware attacks could have the unintended effect of getting reticent companies to share cyber threat indicators with government.
The Department of Homeland Security has signed up 100 "non federal" user for its Automated Indicator Sharing program – the machine-to-machine cyber information sharing program that was authorized under the Cybersecurity Information Sharing Act signed into law in 2015.
Non-federal users include state governments, international organizations, computer emergency response teams, banks and other private companies, according to Preston Wertz, a senior strategist in DHS' Office of Cybersecurity and Communications. The group also includes Information Sharing and Analysis Centers and Information Sharing and Analysis Organizations run by industries.
The epidemic of ransomware is one reason why industry and others are finally moving toward information sharing.
Companies have been leery about information sharing in cases of economic espionage, intellectual property theft and similar cyber crimes, because of the potential that disclosures could have an adverse impact on their financial prospects.
Ransomware, in which hackers hold computers and even entire networks hostage for electronic cash payments, is a different beast. This type of cyber attack has been making incursions into critical infrastructure providers' lanes lately, according to Dewan Chowdhury, cybersecurity advisor for Pepco Holdings, the mid-Atlantic electrical utility that merged with Excelon in March.
"The perception has changed," he said. A "handful" of other malware attacks have also landed at other critical infrastructure providers. Malware operations in Eastern Europe "are taking industry hostage," Chowdhury said in a June 9 panel discussion on the DHS Automated Information Sharing program in Arlington, Va.
DHS officially launched its AIS program under the Cybersecurity Information Sharing Act of 2015 last February. AIS enables the machine-to-machine exchange of cyber threat indicator information between the federal government and the private sector. DHS offers several layers of information sharing with industry, with the AIS effort being the broadest for industry.
Commercial industry has been cautious as the threat indicator program has gotten off the ground with legal concerns of how that information will be used a common topic of discussion.
A member of the crowded audience at the DHS event told Andy Ozment, DHS' assistant secretary for the Office of Cybersecurity and Communication, that his company's legal counsel had some concerns about sharing threat indicator information.
Ozment said industry lawyers should more closely consider the "information sharing, not reporting," that AIS provides.
Chowdhury noted that Pepco's lawyers needed six to seven months to sign off on a sharing agreement. The company has been using DHS' higher-level threat sharing service Cyber Information Sharing and Collaboration Program for the last two years. "It's a cultural issue," he said of companies using threat information but shying away from sharing their own. "Everyone likes to receive, but no one likes to give."
Ozment said he understood the legal concerns, but added that many companies were already sharing threat information before CISA went into effect. He said he thought most legal concerns boiled down to getting to "zero risk" for that shared information once it leaves the company.
The focus, he said, should be on drawing down the risk for the company as a whole and making general counsels see the benefits that sharing indicators can bring to both security and the bottom line.
Ozment reassured attendees that DHS' information sharing programs weren't "regulators, intelligence agencies or law enforcement."
When asked by an audience member if a company should help trap ransomware thieves by pretending to play along to their bank account information and identify them, Ozment said, "that would be the time to call law enforcement."