The Inaugural Post
By: Dave Weinstein | Director of Cybersecurity, NJOHSP
A recent survey of cybersecurity professionals reveals that an astounding 43% of them only share cyber threat intelligence internal to their own organization. In other words, more than half of the data on cyber threats is compartmented not only by industry, but also by institution.
It's no secret that information security practitioners limit the distribution of their cyber threat intelligence to protect their company's interests in case the information is compromised. Not only are companies worried about inviting reputational harm from bad press and revealing network vulnerabilities to hackers, but they also fear the risk of civil liability. Once data is shared outside of an organization, the sharer's confidence in the confidentiality and integrity of the data plummets; intelligence otherwise regarded as useful suddenly is perceived as having more potential for harm than good.
Another finding from the survey is industry's specific reluctance to share information with the government (particularly the federal government). Just over 1 in 5 respondents admitted to having shared information with the public sector, with 81% agreeing that the government needs to share more of its intelligence with industry. In other words, “government is all 'pull' and no 'push.'”
While this survey doesn't necessarily reveal any surprises, it does assign quantitative value to the very real deficit of trust between industry and government, and industry's dissatisfaction with its access to the government's cyber threat intelligence. As it happens, I’ve been observing this trend in New Jersey for some time and this survey confirms what I've heard countless times from businesses across the State.
So, last week we took concrete steps to address both trust and access here in New Jersey. On July 8, the New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) announced a partnership with the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC is the world's leading non-profit committed to sharing and analyzing cyber threat intelligence across the global financial sector.
Like the NJCCIC, the FS-ISAC is an organization built on trust. To put this in context, if the aforementioned survey only polled cybersecurity professionals from FS-ISAC's member companies, the results would reflect a far greater appetite for sharing outside of one's own organization. Why? It's not because FS-ISAC's member companies are more altruistic or riskier than other companies; rather, it's because the organization’s success depends on trust. At the end of the day, it's their value proposition. Under this agreement, the NJCCIC is a trusted partner of the FS-ISAC and is therefore bound by the very same standards and protocols that have incentivized the world's largest banks to share their most sensitive cyber threat intelligence with FS-ISAC for over a decade.
In addition to addressing the trust deficit, this partnership helps expand access to threat intelligence for New Jersey's financial institutions. The use of an open standards, automated sharing platform will ensure near-real time awareness of cyber threats across the State. But access is of little value unless the intelligence is actionable. As the report notes, "obtaining threat intelligence is relatively easy. Finding threat intelligence that is relevant to an organization and can help it make decisions about defence is more challenging." I agree, which is why the NJCCIC's Cyber Threat Intelligence Analysts perform the role of filtering out all the noise and tailoring their analysis to meet the unique needs of the consumer - whether it’s a non-tech savvy CEO at a community bank or a network administrator at a local credit union.
In cyberspace, the attacker will always have a head-start on the defender. But if we're to make it a fairer race, valuable cyber threat intelligence cannot reside in organizational silos - whether it's government silos or industry silos. The NJCCIC's recent partnership with the FS-ISAC may be limited to New Jersey's financial sector, but it exemplifies a model for expanding the public's access to cyber threat intelligence and integrating proven trust mechanisms into new and existing government institutions.