Speaking at the RSA Conference 2013, Colley said that enterprise firms' ongoing mistrust of small to medium-sized businesses' security, combined with their new wariness of government agencies, has hampered CISP's information sharing efforts.
"The bottom line is, I'm not going to share information with anyone I don't know and trust. So if you're a small organisation or a medium-sized organisation, you need to get to know the people with the information you need and build some trust. You can't just sit back and expect all this information to just come to you," he said.
CISP is an information-sharing initiative launched by the UK government as part of its ongoing Cyber Security Strategy. It is designed to help protect the UK's growing digital economy against hackers by facilitating real-time data sharing between the government and private sector.
Colley said this has meant many larger firms have continued the old model of sharing information on a more ad-hoc "club" basis. "Closed clubs are generally how you share information. They work by building up trust between small groups of individuals," he said.
He highlighted the NSA's notorious PRISM spy campaign as a key reason for the breakdown of trust. "The only way this works is through a trust network and clearly, this has broken down. It still works among individuals but when it comes to government agencies it's broken down. This is because the NSA has committed the cardinal sin of being found out."
The ISC2 expert said this is no bad thing, as in the past such systems have proven effective. "If I go back 10 years, I was a member of a select 'dining club'. We used to meet every few months. Different companies would act as the host and at gatherings we'd have a few drinks and a nice meal and then we'd just talk about a few things. In the same year the club was running, Barclays was hit by the first phishing attack in the UK," he said.
"Phishing is old hat now, but this was the first one. Back then the acting chief security officer of Barclays told us what happened and how the attack had changed over time. Two weeks later, NatWest, part of the RBS brand I was working for, was also hit by a phishing attack. We were able to respond to that very quickly because we knew what they were able and going to do."
Colley added that making CISP more relevant to a wider audience will be difficult as it will require the government to create a new anonymised way to share data.
"I wish CISP and all these people success, but I'm not sure this will scale unless you find some standard way of reporting threats and trends, unless you can find a way to anonymise what is being sent. The problem is, by anonymising you often neuter it," he said.
"For example, during my time at RBS we were contacted by someone from the then Hi-Tech Crime Unit, telling us someone had gotten hold of something they shouldn't. When we asked where the Hi-Tech Crime Unit had got the information from, they said 'we couldn't possibly tell you'."
"This was the only time we'd gotten anything from the Hi-Tech Crime Unit, and it was so anonymised we couldn't use it as it was."
Despite Colley's negative comments, some CISP members have defended the scheme. FireEye chief technology officer and active CISP member Greg Day said the programme is in its early stages and is working on ways to help SMBs.
"When we first started thinking about CISP we were asking about what people would actually do with the information. If you go back to the big organisations they just want the quick description because they've got the capabilities to translate it and turn it into an action. But if you move down into most smaller organisations, most of them don't have the skills to use it. You'll send it and they'll just ask 'what is this, what do you expect me to do?'," he said.
"Part of the longer-term plan is to use CISP for different outputs for different people, to ask what's relevant to them. We could easily bombard people with so much information they just ignore it. You need someone doing some enrichment, looking for what's relevant going down the food chain. You then need someone who can go even further and just send out information about a solution. That's why I welcome the set up of a UK national Computer Emergency Response Team (CERT)."
The government announced plans to create a UK CERT in December 2012. The team is designed to help UK business and law enforcement groups, such as the new National Crime Agency, respond to cyber threats more quickly.
No comments:
Post a Comment