This document discusses cybersecurity challenges related to information sharing between the public and private sectors. It outlines concerns private sectors have about sharing information, including losing control and proprietary information being disclosed through FOIA requests. The importance of information sharing is discussed to help early detection, resolution, and prevention of cyberattacks. The document also proposes tools like STIX, CybOX and TAXII to help the public and private sectors better share threat information and collaborate on cybersecurity issues.
1. Cybersecurity Challenge:
Information Sharing between the
Public-Private Sectors
Deloris Bryant
CRJ-475Z Senior Project
Dr. Shanna Van Slyke
May 12, 2015
Public PrivateInformation
2. Information sharing between the Pubic and the Private
Sector
Importance of information sharing
Private sector concerns
Unite in the fight against cybercrimes
Cybersecurity Challenge
Public Sector Private Sector
3. Are we doing enough to protect ourselves against
cybercrimes?
Cybersecurity is a critical issue
Need to navigate through the cyber process together
75% of the country’s computers have been exploited by
criminals (Hearing before the Committee on Armed Services,
House of Representatives, 12th Congress, March 16, 2011)
Estimated loss of $100 billion in intellectual property alone in
the U.S. This estimate is about 0.6% of the U.S. economy and
this number does not even include other types of cybercrimes
(Nakashima & Peterson, 2014).
Importance of Information Sharing
4. Survey conducted by the Ponemon Institute with
Hewlett-Packard (Ponemon Institute LLC, 2014)
Cyberattacks increased 176% in the last 4 years
Average time to detect attack – 170 days
Resolution time once detected – 45 days
Financial losses incurred during this time could be in the
millions.
Importance of Information Sharing
5. Another survey conducted by the Ponemon Institute
sponsored by IBM (Ponemon Institute LLC, 2014)
The cost of data breaches incurred by organizations, on
average, was $5.9 million
Cost incurred the previous year was $5.4 million
Loss of business cost went from $3.03 million to $3.2
million
Cost includes:
Reputation loss
Loss of customers
Acquire new customers
Importance of Information Sharing
6. Different agenda for the public-private sectors
Private sector - profit earnings and the bottom line
Public sector - not divulging intelligence as it relates to national
security
Cost-effective
Early detection
Termination
Prevention
Financial savings and manpower
“Real-time awareness” (Norton, 2014)
“the backbone of security” (Rosenbush, 2014)
Importance of Information Sharing
7. Private Sector Concerns
Giving up control
Company process
In-house strategies to handle security issues
Fear that public sector will mandate a change in security
strategies
Risk allowing other entities to explore privileged information
which can be discoverable through a Freedom of Information
Act (FOIA) request (United States Department of Justice,
n.d.)
Private Sector Concerns
8. Timing of information
Constraints and bureaucratic hoops
The time to quickly implement a solution could be lost
Not knowing what agency, department or appropriate
individual to contact in a breach situation
National security obligations which may involve clearance
issues restrict the release of some critical information
Proper public-private sector information sharing needs to
happen more smoothly
Private Sector Concerns
9. Negative exposure
Type of information disclosed
When it is disclosed
Company put in a bad light due to breach
Company needs time to thoroughly investigate the issue
Liability
Corporate executives held responsible for inadequate
protection
Information not release in a timely manner to protect
customer’s private information
How well the company responded and how quickly the
issue is resolved
Private Sector Concerns
10. Trust
Need assurance from the public sector
Proprietary information will not be divulged
Need open communication
Provide quantifiable information
Coordination is needed for preemptive measures
Risks
Misrepresentation about the severity of cyber issue if
information is not released in a timely manner
Trigger complaints of negligence, inadequate security
protection
Absorb loss incurred rather than reveal weakness
Private Sector Concerns
11. Regulatory issues
Regulatory laws and requirements
Fear of public sector agencies
SEC, FTC, FCC, CFPB and others alike
Federal Trade Commission (FTC)
Enforcing data security
Issued guidelines for organizations with regards to data
security
Failure in the proper data security procedures could result in
litigation
Private Sector Concerns
12. Security and Exchange Commission (SEC)
Oversight for security measures that companies are expected to
follow and maintain
Released guidance for public traded companies
Obligation to release and disclose incidents of cyberattacks (Clarke &
Olcott, 2014)
Private Sector Concerns
13. Collaboration is key to unite in the fight against cybercrimes
Promote awareness
Educate each other
Share timely information that is actionable
Public sector contribution
Executive Order
Addresses privacy concerns along with concerns regarding
private sector liability
Cybersecurity Framework
Unite in the Fight Against Cybercrimes
14. Comprehensive National Cybersecurity Initiative (CNCI)
Front line of defense against immediate threats
Defend against threats
Strengthen future cybersecurity environment
Protecting Cyber Networks Act (sponsor: Rep. Nunes,
Devin (R-CA-22) (Congress, 2015)
Passed the house and was received in the senate aims to help
the private sector share cyber threat information by removing
some legal obstacles (Congress, 2015)
Unite in the Fight Against Cybercrimes
15. Cyber Intelligence Sharing and Protection Act (CISPA)
(Congress, 2015)
is introduced to address the “real-time sharing of actionable,
situational cyber threat information” (Congress, 2015)
The Cybersecurity Information Sharing Act of 2015
(CISA) (U.S. Senate Committee, 2015)
This bill was approved by the Senate Select Committee on
Intelligence.
This bill allows for the sharing of information between the
government and the private sector with liability protection so
as to facilitate the sharing of data relating to cybersecurity
threats.
Unite in the Fight Against Cybercrimes
16. National Cybersecurity Protection Advancement Act
of 2015
This bill has passed the House and is an amendment to the
Homeland Security Act of 2002 that improves the sharing of
information in addition to clarifying privacy protection as it
relates to cybersecurity risk (Congress, 2015).
The key to any policy, strategy or initiative is “real-
time” information sharing and “actionable intelligence”
(U.S., 2014) which many of the above bills reiterate.
Unite in the Fight Against Cybercrimes
17. For public-private collaboration to work, they need to be
on the same page and speak the same language when
sharing information.
Three tools that will aid the collection and distribution
of cyber threats between the two sectors
Structured Threat Information Expression (STIX)
The MITRE Corp. and The Department of Homeland Security
collaborated in developing this tool to address issues like
interoperability, threat indicators and mitigation efforts
(Barnum, 2014)
Public-Private Sectors Collaboration
18. Cyber Observables eXpression (CybOX)
A tool for “addressing cyber observables across and
among this full range of use cases improving consistency,
efficiency, interoperability, and overall situational
awareness” (Corporation, 2015)
Trusted Automated eXchange of Indicator Information
(TAXII)
(TAXII) is the means by which both STIX and CybOX
information is transported. (Connolly, Davison, Richard, &
Skorupka, 2012)
Public-Private Sectors Collaboration
19. Both individuals and companies collaborating to
produce methods to share data securely
The United States Patent and Trademark Office
(USPTO) is enthusiastic about examining cybersecurity
patents.
The top 5 companies filing patent applications in the field
of information security are: IBM (173 patents), Symantec
(103 patents), Google (71 patents), Microsoft (67 patents)
and Samsung (64 patents) (United States Patent and
Trademark Office, 2014)
Private Sector Contribution
20. Large corporations are not the only organizations that
are developing improved responses to cyber threats.
Swan Island Networks, Inc. launched:
The Trusted Information Exchange Service (TIES)
“help protect more than 250 large enterprises and 20% of Fortune
100 companies every day”. (Swan Island Networks, 2015)
filed a patent application in April 2013 for “Human-
Authorized Trust Service”, patent application number
20130312115
define methods that allow trusted access to data between two
parties (Jennings & Jones)
Private Sector Contribution
21. Norse Corporation
filed a patent application (patent application number:
61508493) in July 2012
defines systems and methods for “ gathering, classifying, and
evaluating real time security intelligence data concerning security
threats presented by an IP address, and reporting in real time the
degree and character of such security threats” (USPTO, 2012).
Private Sector Contribution
22. Cybersecurity poses a growing and real threat
Private sector communicated concerns
Improvements by public sector include:
Introducing new legislation
Updating previous ones to address current concerns
President Obama’s presidential term is coming to an end
His cybersecurity initiative needs to be a top priority for
the next administration.
Conclusion
23. Barnum, S. (2014, February 20). Standardizing cyber threat intelligence
information with the Structured Threat Information eXpression (STIX).
MITRE Corporation, v1.1, Rev. 1. Retrieved from
http://stix.mitre.org/about/documents/STIX_Whitepaper_v1.1.pdf
Clarke, R., & Olcott, J. (2014, March). The board's role in cybersecurity.
Retrieved from http://www.kispertgroup.com/wp-
content/uploads/2014/06/Good_Harbor_Directors_Note_Cyber.pdf
Congress, 1. (2015, February 2). H.R.234 - Cyber Intelligence Sharing and
Protection Act. Retrieved from http://https://www.congress.gov/bill/114th-
congress/house-
bill/234?q=%7B%22search%22%3A%5B%22cyber+intelligence%22%5D
%7D
Reference
24. Congress, 1. (2015, April 22). H.R.1560 - Protecting cyber networks act.
Retrieved from http://https://www.congress.gov/bill/114th-congress/house-
bill/1560?q=%7B%22search%22%3A%5B%22The+Protecting+Cyber+Ne
tworks+Act%22%5D%7D
Congress, 1. (2015, April 23). H.R.1731 - National cybersecurity protection
advancement act of 2015. Retrieved from
http://https://www.congress.gov/bill/114th-congress/house-
bill/1731?q=%7B%22search%22%3A%5B%22cybersecurity%22%5D%7
D
Connolly, J., Davidson, M., Richard, M., & Skorupka, C. (2012, November
8). The trusted automated eXchange of indicator information (TAXII).
Retrieved from
http://taxii.mitre.org/about/documents/Introduction_to_TAXII_White_Pape
r_November_2012.pdf
Reference
25. Corporation, MITRE. (2015, April 14). CybOX, v2.1. Retrieved from
http://cybox.mitre.org/
Hearing before the Committee on Armed Services, House of
Representatives, 12th Congress (March 16, 2011). National defense
authorization act for fiscal year 2012: (H.A.S.C. No. 112-26). (statement of
General Keith B. Alexander, US Cyber Command). Retrieved from
http://fas.org/irp/congress/2011_hr/cybercom.pdf
Jennings, C., & Jones, D. M. (2013, November 21). Publication
20130312115 - Human-authorized trust service. Retrieved from
http://www.ptodirect.com/Results/Publications?p=1&r=34&query=%40PD
%3E%3D20131119%3C%3D20131125
Reference
26. Nakashima, E., & Peterson, A. (2014, June 9). Report: Cybercrime and
espionage costs $445 billion annually. Retrieved from
http://www.washingtonpost.com/world/national-security/report-
cybercrime-and-espionage-costs-445-billion-
annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html
Norton, S. (2014, September 30). Former NSA director: Better information
sharing needed on cybersecurity. Retrieved from
http://blogs.wsj.com/cio/2014/09/30/former-nsa-director-better-
information-sharing-needed-on-cybersecurity/
Ponemon Institute LLC. (2014, May). 2014 cost of data breach study:
United States. Retrieved from http://www-01.ibm.com/common/ssi/cgi-
bin/ssialias?subtype=WH&infotype=SA&appname=GTSE_SE_SE_USEN
&htmlfid=SEL03017USEN&attachment=SEL03017USEN.PDF#loaded
Reference
27. Ponemon Institute LLC. (2014, October). 2014 Global report on the cost of
cyber crime. Retrieved from
http://https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-5207enw.pdf
Rosenbush, S. (2014, June 20). Former NSA Chief Mike McConnell says
culture, not tech, is key to cyber defense. Retrieved from
http://blogs.wsj.com/cio/2014/06/20/former-nsa-chief-mike-mcconnell-
says-culture-not-tech-is-key-to-cyber-defense/
Swan Island Networks. (2015). About Swan Island Networks, Inc.
doi:swanisland.net/company
U.S. (2014, November 3). Partners in cybercrime prevention. Retrieved
from http://www.nationaljournal.com/library/198396
Reference
28. USPTO. (2012, July 16). Norse Corporation Patent Appl. No.: 13/550,354.
Retrieved from http://patft.uspto.gov/netacgi/nph-
Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fs
earch-
bool.html&r=3&f=G&l=50&co1=AND&d=PTXT&s1=cybersecurity&s2=g
oogle&OS=cybersecurity+AND+google&RS=cybersecurity+AND+google
United States Department of Justice. (n.d.). What is FOIA? Retrieved from
http://www.foia.gov/index.html
Reference
29. United States Patent and Trademark Office. (2014, November 14).
Cybersecurity partnership. Retrieved from
http://www.uspto.gov/about/contacts/phone_directory/pat_tech/nov2014-
cybersecurity-partnership-presentation.pdf
United States Senate Committee. (2015, March 12). Sen. Carper statement
on the cybersecurity information sharing act (CISA). Retrieved from
http://www.hsgac.senate.gov/media/minority-media/sen-carper-statement-
on-the-cybersecurity-information-sharing-act-cisa
Reference