Cyber information sharing: achieving the Holy Grail of cooperation
4 May 2017|

Image courtesy of Flickr user Northsky71.

When confronting the problems of cybersecurity, it’s often noted that, regardless of time and space, we’re all exposed in some way to the same active and innovative threat actors. Shared threats promote cooperation, and sharing information on cyber threats has long been acknowledged as an efficient way to reduce the effectiveness of cyber threat actors. For this reason, a key initiative of Australia’s Cyber Security Strategy is the establishment of a multilayered, public–private cyber information sharing network, focused on the Australian Cyber Security Centre (ACSC) and new cross-sectoral joint cyber security centres (JCSCs) in state capitals. Cyber information sharing is not new to Australia, but this renewed focus is an opportunity to create an effective national network to share information that assists all participants to improve their security, collectively enhancing Australia’s overall cybersecurity posture and capability.

However, establishing information sharing networks isn’t simple. They can be undermined by a lack of trust, inadequate funding, and poor engagement from contributors who don’t share a common understanding of the vision and objectives of the organisation. In addition, public–private information sharing is often held back by concerns that overclassification of information and slow sharing by government agencies reduces the value and effectiveness of information sharing. This was recently highlighted in the ACSC’s 2016 Cyber Security Survey, which showed that respondents viewed information, intelligence sharing and collaboration as the least important factor in mitigating cyber risks. The survey’s poor results for perceptions of the value of information sharing indicate that the foundations of trusted information sharing networks in Australia remain weak.

As Australia embarks on a process to develop a deeper and wider national cyber information sharing network, careful consideration of the lessons learned by the US and other international partners is necessary to ensure early success and long-term sustainability. This is the focus of my  paper, Cyber information sharing: lessons for Australia, which was released today. The paper builds on a forthcoming report by ASPI’s US partner the MITRE Corporation, Building a National Cyber Information-Sharing Ecosystem.

The US has been pursuing cyber information sharing since the late 1990s, when the federal government directed the creation of public–private partnerships for critical infrastructure protection. The now decades-long development of a variety of information sharing models in the US, and the greater complexity of its industrial and commercial sectors, provide a healthy catalogue of case studies and lessons for the Australian cybersecurity community as it pursues deeper information sharing mechanisms.

MITRE has examined three US cross-sectoral, regionally based information sharing and analysis organisations: the Advanced Cyber Security Center from Massachusetts, the Northeast Ohio CyberConsortium from Ohio, and the National Cyber Exchange from Colorado. From its assessment, MITRE has devised nine questions, dubbed the ‘Gnarly 9’, which must be addressed to build a successful cross-sectoral cyber information sharing organisation. The nine questions can be further distilled into three pillars of a successful information sharing organisation: adequate funding, trust between participants, and a collaboratively developed strategic plan.

Funding and a strategic plan are factors of the investment of time, money and people in the initial stages of establishment, but trust is an intangible quality that has to grow between participants. Growing trust will take time and experience of cooperation between individuals and organisations, although there are structural components that can support the growth of trusted relationships and enable effective information sharing. There are several possible models for information sharing ecosystems, but the current approach of the Australian community, building on the ACSC and JCSCs, is leading towards a ‘hub-and-spokes’ model. In this model, the nature and role of the hub is particularly important in enabling the growth of effective sharing and trusted relationships.

Building on the lessons learned from US information sharing organisations as discussed by MITRE, Cyber information sharing: lessons for Australia presents a possible model that meets the Cyber Security Strategy’s call for a multilayered public–private information sharing network. Based on existing sharing organisations and linkages, such as the ACSC and emerging JCSCs, this information could be provided to an independent clearing house as the hub of the national network, integrating multiple information feeds. This would make it easier to ensure that information is appropriately managed and ensure a level of anonymity for information providers, supporting the development of trust in the network necessary for participant buy-in and sustained information sharing. Further investment in automated, secure, standards-based information sharing will also be necessary to provide actionable information in real time.

A national cyber information sharing network will be an important mechanism to enable the achievement of stronger national cyber defences and resilient networks. The development of this network will be an evolutionary process, but Australia should take heed of the lessons learned by partners in the US and elsewhere.