Companies Must Share Information on Cyber-AttacksBy Samuel Greengard | Posted 2015-09-15 Email Print
Former White House cyber-security advisor Paul Kurtz offers insights into the changing state of enterprise cyber-security and the need for more collaboration.
As cyber-security concerns grow, the thinking about how to best address these incidents is changing. One of the key areas that garnering a lot of attention: sharing information about incidents, attacks and methods. A person promoting this approach: Paul Kurtz, former cyber-security advisor to the White House under Presidents Bill Clinton and George W. Bush and former senior director of the National Security Council. Baseline recently spoke with Kurtz about how sharing information about cyber-attack could change the stakes for organizations. Kurtz has launched a company—TruSTAR—that focuses on this emerging space.
Baseline: What is your overall view on the current state of threats and cyber-security?
Paul Kurtz: We are increasingly dependent upon the Internet for virtually everything we do. At the same time, we are beginning to recognize that cyber-security is a problem. Today's security tools—encryption, multifactor authentication, firewalls and more— are necessary, but they do not provide the necessary level of protection.
What's more, every time we bring security further into play to address problems, we discover that the improvements are, at best, incremental. In many cases, we are improving security but are fighting the bad guys on our own.
Unfortunately, the bad guys are continuing to win. … I think the lesson learned from Sony is that anybody can be hacked.
Baseline: How and where does the concept of information sharing fit in?
Kurtz: One of the problems, historically, is that enterprises do not share information about attacks and breaches. Everyone operates as an island, and the attackers take advantage of that—particularly with today's sophisticated zero-day attacks.
Right now, organizations are playing a losing game of whack-a-mole, and many are experiencing a high number of false alerts. Information sharing changes the stakes and helps put organizations back in charge.
If we share incident data quickly, and other companies are aware of the exploits, they can react faster and better. They may be able to detect that someone is on their network and do something about it.
Baseline: What challenges does this approach face?
Kurtz: One of the big roadblocks is that companies don't want to share information because of reputational and market risks. Making the process anonymous eliminates these competitive fears and risks.
Information sharing also addresses hurdles over legal issues, particularly around civil and criminal liability and possible government regulations. The ability to view incidents, correlate reports and understand attack methods and patterns helps everyone participating in the network by providing actionable information.
Baseline: How do you see this information-sharing space evolving over the next few years?
Kurtz: There is a growing recognition that we have to remove barriers and roadblocks to [achieve] better cyber-security. The information-sharing concept will take some time to gain traction.
We have already had 10 Fortune 500 companies sign up. There is no question that other information-sharing companies and groups will emerge, and that's a good thing.
The days of practicing the head-in-the-sand approach are coming to an end. Companies must take a more active and informed approach—one that revolves around active information sharing.