Introduction
Information sharing is essential for protecting against increasingly sophisticated cyber-attacks on the systems supporting governments and critical infrastructure.[1] According to a study performed by IBM and the Ponemon Institute with information gathered from 350 companies in 11 countries, the average cost of a data breach in 2015 was $3.79 million, up 23 percent over the previous two years.[2] Although the statistics vary by country, malicious or criminal hackers were responsible for 47 percent of the attacks in this particular study.[3] It is likely that early detection and open information sharing between countries may greatly reduce the cost of a data breach.[4]
This paper puts forward a plan to increase cyber-incident sharing through a proposed system that we will refer to as the “International Cyber Incident Repository System (ICIRS).” This system can help inform and eventually mitigate the risks of cyber-attacks to participating members. As members (governments or organizations) begin to share information on both attempted and prior successful attacks, other members have the ability to access and use those data to adapt to potential new security issues, thus helping to mitigate potential future risk.[5] At this time, there are no international repositories of cyber incidents available. The proposed plan, outlined below, will grant participating members access to the repository for information about previous/current cyber incidents. The members will also have the ability to input information into the system on a completely voluntary basis.
Current Information Sharing Models
There is currently no globally agreed-upon cyber incident repository. The difficulty in this international system is that an incident means different things to different countries. In the United States, an incident is defined as “the act of violating an explicit or implied security policy.”[6] One difficulty with this definition is that the presumption exists that there is a policy in place. Of greater concern are the differing laws and policies within each country. For example, privacy laws may limit the amount of information one country can share, which reduces the ability to help analyze trends. The European Union and the United States have discussed the need for international cooperation in voluntary information-sharing practices but have yet to agree on any particular platform.[7] In the following, examples of information-sharing platforms that the ICIRS proposed plan will emulate are presented.
In the United States, there are two large cyber incident reporting vectors: the U.S. Computer Emergency Readiness Team (US-CERT)[8] and the Industrial Control System CERT (ICS-CERT).[9] US-CERT is the catchall cyber incident report repository as this is the agency to which, by law, some members are required to report. ICS-CERT collects strictly ICS-based cyber incidents within the United States. Both agencies analyze the information provided to identify trends and indicators of attacks.[10] In addition, the United States has Information Sharing and Analysis Centers (ISACs)[11] and Information Sharing and Analysis Organizations (ISAOs),[12] in which participation by cyber security professionals is completely voluntary. Several better-known ISACs include the Multi-State ISAC, Financial Services ISAC, and Aviation ISAC. Those organizations that do not fit nicely into one particular sector typically seek instead to establish an ISAO. These ISACs and ISAOs produce and disseminate intelligence reports to critical infrastructure sector owners/operators, thus aiding risk mitigation through public-private partnerships.[13] The ISACs, ISAOs, and CERTs have an information-sharing framework and collaboration forum that could potentially succeed on an international level with other participating members. Not only does the United States have voluntary programs, but it also has Executive Orders (EOs) developed by presidents that promote secure information sharing among public-private partnerships.[14]
While the United States has a much more clearly defined information-sharing model and also policies about information sharing, the European Union (EU) has a high number of fragmented information-sharing schemes that often leave the users of the systems confused.[15] The EU has agreed that a more strategic approach to its schemes could benefit any initiatives to collaborate on information sharing.
In 2009, the Nordic Defence Cooperation (NORDEFCO) was formed by the following Nordic countries: Denmark, Finland, Iceland, Norway, and Sweden. The partnership between these countries lies within the military and political levels. The goal of NORDEFCO is to strengthen all of the countries’ defense capabilities by identifying areas for cooperation and solutions and to include cyber. In 2014, NORDEFCO and the North Atlantic Treaty Organization (NATO)-aligned Baltic states instituted a framework that includes a multi-tier collaboration platform for sharing cyber information and cyber defense strategies. The goal of this partnership is to have a common position on cyber defense.[16]
More broadly across the world, NATO has cyber defense as part of its core tasking within collective defense.[17] Although we are uncertain how the platform works, just the fact that there is a collaborative multinational organization with this tasking provides a great starting point to launching an overall information-sharing platform. Although NATO recently agreed to share information and best practices with the EU,[18] its repository is not global in scope. In addition, the United Nations (UN) has taken a position in discussing the current challenges within cybersecurity. The UN is seeking to build awareness, identify best practice policies, and explore options for global responses to rising cybercrime.[19]
Although there are no known continental information-sharing platforms in the world, much like in Europe, many countries, such as Australia,[20] South Korea,[21] Japan,[22] Israel,[23] South Africa,[24] and Argentina,[25] have established a national CERT, which underscores the fact that basic knowledge of cyber events and responses is available within many countries.
Administration
The administrative body should be a large institution capable of handling and securing confidential and proprietary information. The large institution will garner support from governments and businesses, especially if it is already part of the international community and has established relationships. Examples of institutions would include the UN and NATO. The ICIRS would support current information-sharing and collaborative efforts among both of those organizations’ members. It is envisioned that ICIRS would be a branch of or a department within the organization as a collection and dissemination point for all cyber information. The organization would be in charge of maintaining, validating, and securing the data within the ICIRS.
Potential Benefits
There will be multiple benefits to ICIRS participants. Although reporting to the repository will be anonymous, ICIRS can also serve as a warning system if a government or organization forecasts a possible attack on another nation. ICIRS will help promote and improve international cyber diplomacy between governments and organizations alike by providing an opportunity to improve trust in international partnerships as discussed earlier with respect to ISACs and ISAOs. The ICIRS will bring nations and organizations together in a different arena, which has the possibility of paving the way for additional cooperation in other arenas, including law enforcement and national security. Furthermore, this cooperation would possibly lead to increased transparency in international cybercrime or cyber terrorist investigations, with consistent adjudication in an international court. Moreover, ICIRS will speed up and enhance post-incident reporting.
In addition, as with the ISACs, this structure will provide an area for collaboration and innovation in cybersecurity.[26] The shared information will act as an early warning system for vulnerabilities targeted in all organizational members, such as critical infrastructure vulnerabilities. This structure will not only help to mitigate known attacks but will also serve as a forum for analyzing and forecasting future attacks and surfacing ways to prevent them or mitigate the risk they pose. Furthermore, the combination of government and business resources will be useful in detecting, tracking, and identifying the cyber attacker. By committing more time and resources to the matter, detecting cyber incidents will likely become more efficient.
Potential Risks
Although members may fear that other participants might compromise or use their information against them, the administrative body will use all security precautions possible in order to prevent misuse of data and breaches to the system. As an extra precaution, the system will be designed in such a way that the reporting agency remains anonymous, so if the information is misused or stolen, it would be difficult to trace back to the reporting member. In addition, it is highly encouraged that the member discloses only validated information. If the member discloses incorrect information, then intelligence and attribution may be incorrect, and it may damage the reputation of ICIRS. There is no way to prevent all risk; however, mitigation is possible if the reporting member meticulously reviews all of the reportable information before sending it to the database.
Conclusion
ICIRS is necessary for reducing the number of future cyber attacks on critical infrastructure. As the interconnectivity of critical infrastructure assets to the Internet increases, cyber incidents are likewise increasing. Information sharing is a key component in mitigating risks that cyber attackers pose to national and international critical infrastructure.
ICIRS has the potential to increase knowledge and awareness of current and future threats and best practices for defense against such attacks. Participation in ICIRS would be voluntary and anonymous in nature in order to encourage incident reporting. This structure will provide an area for collaboration and innovation in cybersecurity.[27] The shared information will act as an early warning system for vulnerabilities targeted in all organizational members, such as critical infrastructure vulnerabilities. This structure will not only help to mitigate known attacks but will also serve as a forum for analyzing and forecasting future attacks and surfacing ways to prevent them or mitigate the risk they pose. Furthermore, the combination of government and business resources will be useful in detecting, tracking, and identifying the cyber attacker. By committing more time and resources to the matter, detecting cyber incidents will likely become more efficient. Through ICIRS, governments and businesses around the world will work together to improve cybersecurity for all critical infrastructure.
The work presented in this paper was supported by Argonne National Laboratory under US Department of Energy contract number DE-AC02-06CH11357. The submitted manuscript has been created by UChicago Argonne, LLC, Operator of Argonne. Argonne, a U.S. Department of Energy Office of Science laboratory, is operated under Contract No. DE-AC02-06CH11357. The U.S. Government retains for itself, and others acting on its behalf, a paid-up nonexclusive, irrevocable worldwide license in said article to reproduce, prepare derivative works, distribute copies to the public, and perform publicly and display publicly, by or on behalf of the Government.
If you would like more information regarding this paper, please contact Amanda Joyce at atheel@anl.gov.
References
[1] “Information Sharing,” U.S. Department of Homeland Security, last updated Sept. 27, 2016, https://www.dhs.gov/topic/cybersecurity-information-sharing.
[2] Larry Ponemon, “Cost of Data Breaches Rising Globally, Says ‘2015 Cost of a Data Breach Study: Global Analysis,’” SecurityIntelligence.com, May 27, 2015, https://securityintelligence.com/cost-of-a-data-breach-2015/.
[3] 2015 Cost of Data Breach Study: Global Analysis (Ponemon Institute LLC, 2015), https://nhlearningsolutions.com/Portals/0/Documents/2015-Cost-of-Data-Breach-Study.PDF.
[4] Kevin Townsend, “Incident Response Plans Reduce Cost of Data Breach: Study,” Security Week, June 16, 2016, http://www.securityweek.com/incident-response-plans-reduce-cost-data-breach-study.
[5] “Risk Mitigation Planning, Implementation, and Progress Monitoring,” in Systems Engineering Guide (MITRE, 2016), https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-mitigation-planning-implementation-and-progress-monitoring.
[6] “About NCI,” National Council of ISACS, http://www.nationalisacs.org/about-nci.
[7] Preliminary Workshop Comparing U.S. Cybersecurity Framework and EU NIS Platform Approaches: Summary Report (Brussels: European Commission, 2014), https://resilience.enisa.europa.eu/nis-platform/shared-documents/eu-us-preliminary-workshop-comparing-approaches/Summary_report_US-EU_preliminary_workshop-24_November_2014.pdf (hereafter “Preliminary Workshop”).
[8] “About Us,” US-CERT, https://www.us-cert.gov/about-us.
[9] “About the Industrial Control Systems Cyber Emergency Response Team,” ICS-CERT, https://ics-cert.us-cert.gov/About-Industrial-Control-Systems-Cyber-Emergency-Response-Team.
[10] Paul Cichonski, et al., Rev. 2, Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology, Special Publication 800-61 (U.S. Department of Commerce, 2012), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.
[11] “Information Sharing,” U.S. Department of Homeland Security, las updated Sept. 27, 2016, https://www.dhs.gov/topic/cybersecurity-information-sharing.
[12] “Information Sharing and Analysis Organizations (ISAOs),” U.S. Department of Homeland Security, last updated April 13, 2016, https://www.dhs.gov/isao.
[13] Fact Sheet: Executive Order Promoting Private Sector Cybersecurity Information Sharing (The White House: Office of the Press Secretary, Feb. 12, 2015), https://www.whitehouse.gov/the-press-office/2015/02/12/fact-sheet-executive-order-promoting-private-sector-cybersecurity-inform.
[14] Ibid.
[15] Preliminary Workshop, supra note 7.
[16] “Common Threats Shape Nordic-Baltic Cyber Cooperation,” Defense News, Dec. 10, 2014, http://www.defensenews.com/story/defense/international/europe/2014/12/10/common-threats-shape-nordic-baltic-cyber-cooperation-/20215605/.
[17] “Cyber Defence,” North Atlantic Treaty Organization, last updated July 27, 2016, http://www.nato.int/cps/en/natohq/topics_78170.htm.
[18] Ibid.
[19] “Cybersecurity: A Global Issue Demanding a Global Approach,” United Nations, Dec. 12, 2011, http://www.un.org/en/development/desa/news/ecosoc/cybersecurity-demands-global-approach.html.
[20] “Frequently Asked Questions,” CERT-Australia, https://www.cert.gov.au/faq.
[21] The website of National Intelligence Service Korea, http://www.nis.go.kr/AF/1_7.do.
[22] The website of National Information Security Center: Japan, http://www.nisc.go.jp/eng/index.html.
[23] The website of Israel National Cyber Event Readiness Team, https://cert.gov.il/Pages/Home.aspx.
[24] “Who We Are,” Computer Security Incident Response Team (CSIRT): Republic of South Africa, http://www.ssa.gov.za/CSIRT.aspx.
[25] “Qué Hacemos,” ICIC (Programa Nacional de Infraestructuras Críticas de Información y Ciberseguridad), http://www.icic.gob.ar/.
[26] “About ISACS,” National Council of ISACS, http://www.nationalisacs.org/#!about-isacs/vu5l7.
[27] Ibid.