Intelligence Agencies Seek Fast Cyber Threat Dissemination'Five Eyes' Partners Commit to Putting Threat Intelligence Into Public's Hands
When a cyberattack begins, Canada's intelligence establishment can get essential threat information to a critical infrastructure provider in just seven minutes. While that's an improvement on what previously might have been a seven-week delay, the goal is to get such threat-information sharing down to 7 milliseconds, says Scott Jones, who heads the Canadian Center for Cyber Security.
Jones was speaking at the annual CyberUK conference, held this week in Glasgow, Scotland. The event is hosted by the U.K.'s National Cyber Security Center, the public-facing arm of intelligence agency GCHQ.
In an opening keynote on Wednesday, GCHQ Director Jeremy Fleming said his agency continues to put more essential threat intelligence into the hands of U.K. businesses and government agencies. "Specifically, in the last year we have made it simple for our analysts to share time-critical, secret information in a matter of seconds," he told the audience. "With just one click, this information is being shared and action is being taken."
Fleming also committed to more rapidly disseminating more data. "In the coming year, we will continue to scale this capability so - whether it's indicators of a nation-state cyber actor, details of malware used by cybercriminals or credit cards being sold on the dark web - we will declassify this information and get it back to those who can act on it," he said.
Such efforts carry a learning curve. Ciaran Martin, CEO of the NCSC, said sometimes when there's an internal discussion about whether his center should publicly release certain indicators of compromise, someone on his team will find that they've already been made public by a commercial firm.
Five Eyes Continue to Share Intelligence
At CyberUK this week, for the first time in history, representatives from all parts of the "Five Eyes" intelligence-sharing alliance appeared on stage together in the U.K. for a panel discussion. The alliance was formed in 1941 between Australia, Canada, New Zealand, the U.K. and U.S.
"Five Eyes is the term we use to describe the intelligence alliance between our countries," said Yasmin Brooks, director of cyber at the British government's Department for Digital, Culture, Media and Sport, who moderated the panel.
All panelists spoke about just how substantially intelligence sharing has changed in the past 78 years.
In the past, governments could share secrets from one compartmentalized intelligence group to another nation's compartmentalized intelligence group, on the grounds that it would go no further, especially because it might reveal sensitive sources and methods. But with nation-state attacks and cybercrime ascendant, if cyber intelligence is going to help victims, it can't remain secreted in compartmented government groups, the panelists acknowledged.
Goal: Unclassified, Actionable Information
Intelligence officials said getting the right information into the right hands as quickly as possible is mandatory for battling online attacks.
"One of the focus areas for NSA is not just the speed but the classification," Rob Joyce, senior adviser for cybersecurity strategy to the director of the U.S. National Security Agency, said during the panel, gesturing to the NCSC's Martin. "I can give Ciaran some very valuable information at the classified level, very, fast and very easy. But if it turns out that's needed in the critical infrastructure of a commercial company in the U.K., I haven't helped him a lot by handing it to him at that highest classification level."
Less classification - or declassifying information altogether - can make it more useful. "Getting it ... unclassified at actionable levels and down to actionable levels is really the area that's going to pay the most dividends," Joyce said. "Exquisite intelligence that's not used is completely worthless."
Information Sharing Evolves
Of course, governments aren't the only source of threat intelligence. But intelligence agency officials said that they're aiming to share more valuable information, looking far beyond simple IoCs to better intelligence not just on attackers' tools but also their behavioral patterns.
"Information sharing from 2005 to 2015 in cybersecurity was plagued frankly by lack of coherence; you just dumped things into central databases - you couldn't analyze them, you couldn't [compare] them. But that is improving," Martin said.
But information sharing is only part of a much bigger picture. Experts spoke to the need for organizations to put the right cultural changes, policies, practices as well as tools - open source and commercial - in place to protect themselves.
Cybersecurity Minimum: Logging
Logging in particular was cited as a challenge for many organizations. The NCSC has just released "Logging Made Easy," which is intended to help organizations of any size to log security events. The thinking is that just like CCTV camera feeds can aid in the investigation of a physical break-in, having log data can help incident responders following a breach.
The emphasis on how to do at least simple logging is a reminder that even with intelligence agencies sharing threat information, every individual organization remains responsible for securing itself.
"Please, please, please take the products we're offering, your own tools, open source ... [and] you need to start doing logging better," Ian Levy, NCSC's technical director, told attendees. "We cannot protect you from everything; you still have to do your own cybersecurity."