The constantly evolving nature of the cyber-threat means that only a similarly dynamic approach will help improve security. Combining the innovation and dynamism of private companies with the authority and resources of government would be a step in the right direction.
By David Saer and David Smart for RUSI.org
The cyber-threat to British business and government is growing. Statistics from Symantec, the internet protection software company, show that during 2010 over 286 million unique malicious internet threats were observed globally, with a 93 per cent increase in the volume of web-based attacks from the previous year. This translates to a growing economic threat, with the UK's Office of Cyber Security and Information Assurance estimating the cost of cyber-crime to British business at over £20 billion a year. This rising burden on the British economy cannot be ignored or dismissed as an acceptable cost of conducting business online.
There is also widespread acknowledgement that better public-private cooperation is an important element in improving security in cyberspace. At a meeting in February hosted by the Prime Minister, representatives from a cross section of British industry and government ministers agreed on the need for increased information sharing as part of a new approach to protecting the UK's economic and national security interests against cyber threats.
Research conducted by RUSI's Cyber-Security Programme has confirmed the need for sharing information on threats and responses, not just between government and industry, but between companies and other organisations, especially across sector boundaries. This research has also shown that it is vital to extend protection beyond what is traditionally perceived to be national infrastructure (e.g., defence, telecommunications, food and water supply) to include often neglected sectors. These overlooked areas of vulnerability encompass those sectors which act as service providers (e.g., lawyers and accountants) and collaborators (in particular academia), and potentially represent weak links in the cyber-security chain. Moreover, these sectors also represent vital components of the economy, and should be protected accordingly. Any critical breach of security from these companies, such as the theft of sensitive client data from a law firm or a doctor's practice, could have a damaging impact upon public confidence in the industry as a whole. Furthermore, sectors such as academia are entirely based upon the knowledge they generate through research, and hence it is vital to safeguard this from theft. There is therefore a clear need to extend protection across and within sectors to provide collective security.
RUSI's research has, however, also revealed equally widespread agreement among stakeholders and others that effective information sharing is hard to achieve, and that the costs often outweigh the benefits, as highlighted in Thomas and Walport's Data Sharing Review for the Ministry of Justice. This problem afflicts many areas where collective action is crucial for security (not just cyberspace), but is rarely acknowledged publicly. The idea is attractive, but there are many examples in various fields of systems that fail to deliver. However, RUSI's research into models for information sharing shows that, whilst it is undoubtedly challenging to do it well, outstandingly effective and efficient systems do exist, and a study of these can help identify the criteria that are key to success.
Understanding the Requirement
The overarching problem for security in cyberspace is that whilst a networked world brings many benefits, those benefits are accompanied by risks. How do we manage those risks intelligently and efficiently? The immediate problem is that our knowledge of those risks is dispersed, and our understanding fragmentary.
Without adequate knowledge, countermeasures will be ineffectual, if not counter-productive, and policy will be based merely on plausible ideas and guesswork. Success will be the result of luck, not judgement. But from greater shared knowledge will follow better countermeasures (both in their design and implementation) and better policy. Thus the absolutely necessary precursor to any sensible intervention in cyber-security is: Get knowledge.
Genuine knowledge is rooted in accurate, timely information, but how are we to understand 'information sharing'? It covers a wide range of actions, from the exchange of high-level generalised conclusions (e.g. at conferences or liaison meetings) to the automated transfer of large volumes of data. We would suggest that the latter is not appropriate in this instance, two major objections being the horrendous privacy implications and the technical infrastructure needed. High-level exchanges have their place but experience (e.g. from financial crime) suggests that by themselves they are inadequate. The answer lies somewhere between these two extremes: in essence, the reporting of incidents by individuals at the operational level. This does not rule out deeper analysis and higher level exchanges, but is a necessary precursor: a firm foundation of hard information on which they can be based.
There is, indeed, much good co-operation and information sharing already in the field of cyber-security, often of an informal sort. But this activity tends to be confined to a particular sector (e.g., banking or academia) and even then it is rarely comprehensive. The sharing of knowledge is fairly high level or anecdotal: what is lacking is a foundation of hard information upon which a solid body of knowledge can be built. It will be important, however, to ensure that any new initiative(s) do not harm or disrupt the good work that is already being done: they should enhance and improve, not replace. Especially important will be avoiding a form of moral hazard where reporting, analysing and solving problems become 'someone else's business'. This will easily happen if the wrong model is adopted. Systemic flaws produce perverse outcomes, no matter how commendable the aims or how strong the commitment to them.
There are several guiding principles upon which we believe any solution to the problem of wider cyber-security should be based.
The first is that the process should be fundamentally based upon active collaboration between the public and private sectors, whereby the government and its relevant agencies are equal stakeholders rather than controlling entities. This is designed to ensure a more level playing field to engender trust between public and private agencies, and to help facilitate greater information sharing, to the mutual benefit of all.
The second principle concerns the shifting of responsibility for cyber-security from central government agencies to companies themselves. This is designed to empower companies so that they may look after their own interests and not have to rely on the resources and direction of some central entity. This will help overcome the crucial time delay which occurs whenever companies at the periphery have to defer to the centre, thus reducing the vital time between detection and response to cyber incidents, where action will need to be taken within minutes rather than hours. Therefore companies should be provided with the tools and education to protect themselves from the most prevalent threats, and also trained to recognise serious incursions so that the rest of the community can be alerted and the relevant government agencies quickly involved.
In relation to this, the third principle argues for the creation of an environment which encourages collective security that can be collectively enforced, rather than security controlled and enforced from a central entity. An ideal model of cyber-security would facilitate, rather than direct, information-sharing between companies across non-traditional sector boundaries, and would encourage a culture of 'cyber-hygiene' amongst its members. Member organisations would thus be nudged into practicing better cyber-security as part of a collective community of security, with any central agency only intervening when necessary.
The fourth and perhaps the most important principle concerns the operator 'at the coalface'. This is the person who will spot and report incidents. If the system is designed so that their interest and intelligence is engaged, it will succeed. If not, a 'box-ticking' mentality will prevail and the information entering the system will be of poor quality, which will be devastating. Positive and negative factors come into play. The most important positive factor is that the system helps the operator to do their job better: they have access to the reports it contains and can use them to locally implement better countermeasures. This is a powerful incentive to contribute to the body of information themselves. On the negative side there must be no undue obstacles or disincentives to report. Reporting must be easy, quick, not (primarily) a compliance issue, and not governed by arbitrary targets.
When considering the feasibility of putting these principles into practice, it is instructive to look towards existing collective security and information sharing arrangements. Public sector models such as the Serious Organised Crime Agency's Suspicious Activities Reports (SAR) system whilst playing a vital role in combating financial crime in the UK, are incompatible with our stated principles because they employ a top-down centralised approach, with private companies relegated to merely passing on information to assist law enforcement. Furthermore the SARs regime is part of a large and costly public-sector body, which is at odds with our vision of a small and nimble public-private sector collaborative entity.
A workable model can be found in Information Sharing and Analysis Centres (ISACs), which are organisations usually set up by the owners and operators of an infrastructure within a sector to provide information analysis and data dissemination. An example of this model that can be seen in practice in the UK is CIFAS - the UK's Credit Industry Fraud Advisory Service, which is a privately run organisation consisting of over 260 UK organisations, predominantly drawn from the private sector, and is the world's first non-profit fraud prevention data-sharing scheme. This model closely adheres to our stated principles as a relatively small organisation, entirely funded through membership fees, which facilitates information sharing between public and private agencies and across different sectors such a retail and finance. It also helps to empower and educate its members about fraud prevention by providing them with reports concerning the latest fraud trends and threats, and offers a multitude of staff training and even (jointly with a university) a foundation degree in Fraud Management. CIFAS provides an attractive model of collective security whereby the system empowers and educates its members whilst also facilitating information sharing, with the centre intervening and disciplining members only in cases of serious misconduct.
There is great scope for a cross-sector information sharing service to be constructed to combat the threat of cyber security, and RUSI is continuing its research into what practical form such a model could take. However, the rough outlines are becoming clear and a collective threat such as cyber-security demands a collective response. Information sharing between companies and across sectors would allow the pooling of resources to understand, promote awareness of and combat threats. Criminals will not discriminate in their choice of targets, be it a bank or a law firm, and will aim to profit from wherever there are vulnerabilities.
We therefore advocate a model similar in form to a public-private partnership, where businesses and government agencies collaborate as equal stakeholders, with the aim of promoting an ethos of collective security. This allows power and responsibility to be devolved and for businesses to be able to look after their own security, but also means that specialist government agencies can be available for any 'heavy lifting'. Greater research is required into the practical mechanisms of such a model. Until the problems posed by cyber-crime are addressed, the UK will continue to suffer costly and embarrassing losses of data and hence it is clear that some form of action needs to be taken as soon as possible.
David Saer is a Research Intern in the department of Military Sciences, RUSI.
David Smart is an independent consultant specialising in Financial Crime and Cyber-security.
 This research is part of a RUSI project on information sharing for better cyber security, of which this article is the first product, and is being conducted by John Bassett, RUSI Associate Fellow for Cyber Security, and also Mark Philips and David Smart.