'Need-to-know' strategy does not pass muster in cyber era
Defenders in the cyber-domain need to abandon the Cold War principle of 'need-to-know' - a gratifyingly simple but effective maxim, says Alister Shepherd.
Alister Shepherd, security and investigations expert at Stroz Friedberg
National security, economic well-being and personal security are constantly being undermined by malicious actors in cyber-space. Now, faced with cyber-adversaries eager to cooperate, such as nation states exploiting the talents of hackers or procuring services and assets from organised criminal gangs, defenders in the cyber-domain need to abandon the Cold War principle of ‘need-to-know' – a gratifyingly simple but effective maxim, where information was tightly controlled.
We have lived through the information age and now inhabit an apparently hyper-connected world, yet we continue to leave ourselves vulnerable in cyber-space due to a collective failure of information sharing. No previous arms race has had the ability to neutralise the enemy by simply publicising its methods of attack and if we want to create a properly protected digital environment, there needs to be a fundamental shift in our approach to sharing cyber-security threat intelligence. It is a process that requires governments, corporates and small businesses all playing their part.
The attackers themselves are still perceived as being organised along traditional fault lines, such as nation states, organised criminals and hacktivists. But the reality is that the threat actors are constantly evolving and, more worryingly, cooperating.
Nation states are co-opting hacktivist groups or utilising services and assets provided by organised criminals. Malware and infrastructure is shared, recycled and re-used at an alarming rate, with a recent banking malware campaign reportedly lasting just five hours. In tandem, criminals are adopting and adapting the sophisticated techniques used by government agencies.
Some of this should make it easier to defend against attacks, except that we – the defenders – are not cooperating in the same way. Even the best efforts, such as the ISAC system in the US, are stove-piped so that firms share within their industry but not with their own supply chains, a strategy that seems inexplicable from a risk management perspective. Furthermore, attackers do not think in terms of ‘industry' or ‘sector' – they consider profit, intellectual property, or perhaps ideology.
Reviewing even the most sophisticated attacks, attributed to highly cyber-capable nation states, there is a pattern of the same malware (or ‘implants' in government parlance) and command and control (C2) infrastructure being used against multiple victims, across various sectors, including energy, telecoms, finance and governmental institutions.
So what does this tell us? Our adversaries are constantly adapting. They are agile, unencumbered by regulatory or legal restraints, and their attack techniques are developing so quickly that it is impossible to keep pace without the broadest possible coalition working to defend against them. This requires a complete paradigm shift in the approach to sharing intelligence on cyber threats.
Cyber intelligence has a unique attribute, where its value increases the more widely it is shared. Of course attackers can change their C2 infrastructure or obfuscate their code, but no-one has limitless resources. Recent reporting on APT groups has shown that their operations can be severely damaged by sharing information on their tools and infrastructure.
While governments should lead the way, they are no longer the main owners of intelligence in this space. Commercial entities almost certainly top the charts for cyber-attacks by volume and this includes the most sophisticated malware. Furthermore, in the hyper-connected world, the private sector will commonly have defensive tools or capabilities that rival or exceed those in the public sector. Many organisations also have the capacity to share information and initiate investigations across international borders far more quickly than government agencies, an area where change is also required, to redress the balance.
Real collaboration between the public and private sectors is, therefore, required to make this work. However, this is not about the sort of sharing mandated in some proposed EU or US legislation, intended largely as a data privacy measure. Neither is it about closed systems, such as ISAC.
Instead, there needs to be a new model of willing cooperation that builds on and expands existing relationships. Government should lead the way in its sharing with critical national infrastructure (CNI), but these exchanges should go into greater depth and be undertaken on the understanding that the CNI in turn shares with their supply chain companies, creating a trickle-down effect.
The audit relationship for suppliers is designed for compliance – not cyber-resilience. While audits have their place, they will not stop breaches, unless accompanied by a programme of intelligence and capability sharing. While the approach may discard key Cold War principles, it is one that is in everyone's interest – attackers do not pigeonhole us, so why do we limit ourselves?
Contributed by Alister Shepherd, security and investigations expert at Stroz Friedberg, an investigations, intelligence and risk management company.