“Cyber criminals connect with each other via forums, verify credentials and share experience, information and malware across-borders, freely, and willingly – and unless regulators, government intelligence services, and industry participants do the same, we will remain one step behind the criminals,” a senior regulator told delegates at the UK Financial Services Cyber Security summit, held in London this morning under Chatham House rules.
She added that while there were jurisdictional and national security concerns to be overcome, the biggest issue preventing such information sharing was a lack of trust, and the proliferation of sophisticated cyber-crime undermined trust, leading to more cyber crime, making cross-jurisdiction action more difficult, in a ‘catch 22' scenario.
Information sharing, with whom, how and for what purpose were major themes among the senior UK banking and finance information security officers, EU and UK sector regulators, as well as intelligence service representatives addressing the audience.
Among some of the key recommendations to emerge were:
1) Any information sharing has to be two way. So if regulators are asking to see attacks, the information should come back to participants in a useful form.
2) Information provided should be anonymised, but with locational data.
3) Information storing should not be a burden, and needs to be actionable information. This should include what actions failed to stem attacks and what action was successful.
4) There need to be threshold levels of what attacks need to be reported (eg a company with thousands of attacks may not need to report all).
5) There needs to be compliance with privacy laws and national security.
6) There needs to be assurance that confidential information that could reveal country weaknesses is secure, which may require a central hub to coordinate and disguise the source.
7) It is also necessary to avoid duplication (eg by multiple regulatory bodies).