INSA paper highlights importance of information sharing across sectors in defending US cyberinfrastructure

The Intelligence and National Security Alliance (INSA) recognized in a recent paper the shared responsibility of the public and private sectors in defending the U.S. cyber infrastructure. It finds that while federal cybersecurity policies are rapidly evolving—Executive Order 14028 and the White House’s March 2023 National Cybersecurity Strategy offer vivid examples—there is inconsistency in private sector cybersecurity, posing a risk to businesses and critical infrastructure.

Titled, ‘Challenges and Opportunities of Enabling Information Sharing¸’ the INSA paper promotes the importance of information sharing among private sector firms and offers practical recommendations for corporate leaders to enhance cybersecurity measures. By implementing the five suggested action steps, private sector firms can effectively improve their information-sharing capabilities.

It also realizes that the national security and economic prosperity of the U.S. depends on the public and private sectors’ shared responsibility to defend its cyber infrastructure. While federal cybersecurity policy and practice are evolving swiftly, private sector cybersecurity remains inconsistent, leaving at risk much of the country’s business and critical infrastructure. Effective information sharing is crucial for enhancing private sector cybersecurity, which must be timely, relevant, and detailed to counter cyberattacks, assist in complete system recovery, and fortify commercial networks against future breaches. 

The INSA paper suggests collaborating with internal stakeholders such as IT, legal and compliance to establish rapport and regular touchpoints with relevant teams, educate the workforce on information sharing processes, partners, and safeguards in place, create an information sharing playbook and related procedures customized for each team, and conduct recurring tabletop exercises and involve all key stakeholders. 

It also improves understanding of partner priorities, collection requirements, and how recipients can act on information; and leveraging established information-sharing entities (e.g., ISACs, ISAOs) to anonymize information/intelligence sources. The paper also recommends ensuring safeguards such as non-disclosure agreements (NDAs) or similar contractual documents; data protection regimes; and secure mechanisms for sharing (e.g., secure portal, encrypted data feed). It also suggests promoting bi-directional sharing, including adopting sector-specific intelligence-sharing platforms.

The INSA paper said that effective coordination makes the whole greater than the sum of its parts. “Unfortunately, in the cybersecurity context, malicious actors have demonstrated better proficiency at coordinating with each other to maximize harm. For example, malicious actors leverage dark web marketplaces to monetize specialists’ skills. In some instances, malware distributors sell access to infected devices for others to exploit. This freedom to coordinate allows threat actors to become more specialized and thereby more efficient and effective,” it added.

It also highlighted that coordination and sharing among cybersecurity victims and defenders has been more problematic. “Obstacles presented by a wide variety of legal entities along with the lack of a common global reporting framework have slowed effective information sharing. Despite the challenges, there should be no loss of focus on the tremendous benefits that improved information sharing can bring.” 

The INSA paper outlined that information sharing can specifically improve an organization’s cybersecurity posture through early warning and real-time assistance during incidents; deliver a greater understanding of the aggregate number and impact of incidents; identify malicious actors; and trace funds obtained by cyber threat hackers. 

Both the public and private sectors face challenges in deciding how to share information without introducing additional risks or compromising the overall security posture by revealing specific cyber intelligence, the INSA paper outlined. Additionally, both sectors wrestle with the requirement to share information that is pertinent to the other party in a way that is actionable and prevents noise. 

Specific challenges faced by public-private partnerships include internal restrictions due to liability and compliance concerns about sharing with competitors or government bodies outside of regulators; unique industry and sector priorities and collection requirements; and different segments within a sector (operations, supply chain, support, etc.) may need different types of information. It also identified risks from attribution, potential disclosure of intelligence sources, methodology, unauthorized sharing of information; and time-sensitive nature of perishable intelligence. 

The CISA (Cybersecurity and Infrastructure Security Agency) was formed ‘to defend against today’s threats and collaborate with industry to build more secure and resilient infrastructure for the future — (it is) the public sector’s steward for public-private partnerships.’ Some sectors also have Sector Risk Management Agencies (SRMAs), such as the Department of Treasury for the financial sector or the Department of Energy (DOE) for the energy sector. Along with CISA and the SRMAs, the anchor cyber information-sharing organizations within many sectors remain their ISAC or ISAO. 

ISACs and ISAOs are non-profit organizations and membership is composed of vetted representatives of private industries including financial services, transportation, utilities, and other sectors. In addition to ISACs/ISAOs and similar non-profit organizations, certain forward-leaning industries have begun to also demand collective defense platforms from their cyber vendors. 

Internationally, the U.S. government maintains relationships with its allies such as the Five Eye Nations (U.S., UK, Canada, Australia, and New Zealand), European Union, Japan, etc.. The North Atlantic Treaty Organization’s Locked Shields exercise brings together the Alliance’s member states, partner nations, and select private sector partners. Such exercises enable public and private sector entities across nations to share information and best practices.

In conclusion, the INSA paper identified a better understanding of the benefits of information sharing and how it can be conducted effectively to improve collaboration among both public and private sector stakeholders. “This, in turn, supports the Department of Homeland Security’s goals to increase information sharing between the government and the private sector.” 

Moreover, it provides valuable support to firms grappling with the challenges of determining what information to share and establishing a consistent sharing process. The collective result will bolster the security posture of the nation’s cyber infrastructure, contributing to a more robust and resilient collective defense.

Last December, the CISA identified that as the cyber threat environment evolves, so must the agency’s capabilities to analyze and share cyber threat information. In light of this, CISA will begin a two-year strategic effort to modernize its approach to enterprise cyber threat information sharing in 2024 ‘to maximize value to our partners and keep pace with a changing threat environment.’

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.