(Published by AFCEA, Primary author John M Gilligan) — There has been increased public dialogue recently regarding the importance, the potential benefits, and the urgency of sharing cyber-related information. The inference from much of the dialogue is that information sharing is viewed as a primary means to improve the Nation’s cyber security posture.
AFCEA’s Cyber Committee has been evaluating the topic of information sharing. In the fall of 2014, the Committee assessed the nation’s needs for information sharing and developed a set of recommendations that were provided to the White House team developing the Executive Order on information sharing (Promoting Private Sector Cybersecurity Information Sharing [EO 13691]).
The Committee has subsequently reviewed the Executive Order and its recommended actions to implement a robust national information-sharing infrastructure. The Committee observes that there are many solid and beneficial aspects of the Executive Order. However, it believes that a successful implementation of the Order requires an appropriate context for these efforts, as well as a framework that could be used to define success.
This paper provides additional recommendations for establishing the standards and the implementation of an effective National Information Sharing Infrastructure.
A Context for Information Sharing
The Committee believes that it is essential to recognize that the objective of information sharing must not just be the exchange of cyber related information. Rather, information sharing must be recognized as a means to an end. The ultimate end objective is enabling members of the cyber ecosystem to make defensive risk-based decisions based upon much more precise data. That is, the act of exchanging or sharing information is necessary, but not sufficient, to prevent cyber-attacks.
Information sharing must be recognized as a means to an end
Unfortunately, the term ‘information sharing’ has become a misnomer. Enabling individual members of the ecosystem to achieve greater visibility into the threats facing them by actively exchanging relevant data with other trusted members assists these organizations in taking advantage of the collective wisdom of the group.
Achieving the desired end objective requires not only the sharing or exchange of relevant information, but also the employment of appropriate analytical methods and tools that turn shared information into actionable products, either narrative guidance or automated means to block potential cyber-attacks. Therefore, we recommend that appropriate emphasis be placed on the analytical methods and tools, as information sharing standards and implementation strategies are developed.
Information Sharing Framework
The Committee also believes that an appropriate model for implementing the information sharing requirements of the Executive Order is helpful to guide implementation efforts. In this regard, the operating methods of the National Weather Service (NWS) or the Centers for Disease Control (CDC) are appropriate operating models.
In both examples, there is an abundance of decentralized information exchanged with, and among, reporting organizations, but the primary value of the NWS and CDC is in the analytically derived products they develop. These products are then distributed in the form of weather warnings or health guidance to help save lives. These products are distributed to specific geographic regions or target populations, as appropriate.
Key to the success of this National Information Sharing Infrastructure is a tailored approach to the analytical products so they meet specific needs of a highly diverse set of audiences
For our Nation’s cyber infrastructure, we need a National Information Sharing Infrastructure where the information exchanged is first appropriately analyzed so appropriate warnings or recommended actions can be disseminated to target audiences. Key to the success of this National Information Sharing Infrastructure is a tailored approach to the analytical products so they meet specific needs of a highly diverse set of audiences (e.g., government; large or mid-sized or small sized companies; industry-specific; private citizens; etc.) each having unique cyber information sharing product needs.
To help guide the development of a National Information Sharing Infrastructure, the Committee recommends that the effort be guided by a framework of principles and measures of success. This framework ensures the efforts are clearly grounded in the broader context for information sharing and the appropriate end objectives.
Key principles of a National Information Sharing Infrastructure
- A mesh of multi-directional information flows;
- Multiple nodes performing analysis of shared information leading to intelligence-derived recommendations and products;
- Responsiveness to the different time sensitivities of multiple customers and audiences; and
- A design that is resilient against attack and compromise with a strong focus on the integrity of the analytics being reported.
Recommended Measures of Success for a National Information Sharing Infrastructure
- Breach or attack is prevented or detected in time to allow a defender to make a risk-based decision on action
- Cyber security related investments are realigned or increased
- Identification of attack patterns leads to changes in standard, commercial products that negate the attack
- Increased awareness and creation of a culture of cyber security at all levels, from organization executives to individual cyber systems users, and
- Value derived from measures 1-4 to entice organizations to want to participate in the sharing of their information amongst all stakeholders (i.e., private, public, and Academia)
The AFCEA Cyber Committee strongly supports the objective of improving our nation’s ability to deter cyber-attacks. Properly focused, the guidance in the recent Executive Order can be of great benefit toward achieving this objective.
The recommendations in this paper provide what is believed to be the necessary context and framework for building a successful National Information Sharing Infrastructure. The Committee will continue to assess the area of information sharing and provide additional papers, as appropriate.
Note: This paper was published by AFCEA and the primary author was John M. Gilligan. Other papers on this topic can be found on the AFCEA Cyber Committee Website