Cybersecurity intelligence sharing needs to get better

The time for organizations to start creating more formal bilateral agreements to share cybersecurity intelligence modeled on similar agreements that countries around the world are making has arrived.

The latest example of cybersecurity cooperation agreements is an accord between the United States and South Korea. The two countries have pledged to:

• Develop and implement tools and threat mitigation to deter malicious actors.
• Participate in information-sharing and cooperation to detect, deter and disrupt malicious activities in cyberspace.
• Collaborate in international forums and promote the framework for responsible peacetime state behavior in cyberspace and hold accountable irresponsible states that destabilize activity in cyberspace.
• Participate in joint cyber exercises between the United States and the ROK and cooperate in the research and development of core technologies to protect critical national infrastructure.
• Cooperate in policy and institutional improvements for personnel training, e.g., cybersecurity expert exchanges and educational support and enhancing the cooperation between private sectors.
• Enhance the public-private partnership within academia and sharing of cyberthreat information in real-time
• Cooperate on the development of additional cyber capacity

This agreement is similar in scope to existing agreements between multiple countries that are based on the Five Eyes Alliance between the U.S., United Kingdom, Canada, Australia, and New Zealand which traces its lineage back to the Atlantic Charter initially created in 1941. That agreement enables these countries to share everything from intercepted phone calls and emails to tracking missile launches.

There is also a Nine Eyes version of the alliance that includes Denmark, France, Netherlands, and Norway which extends the surveillance reach of the parties to the agreement, and a Fourteen Eyes version that includes Belgium, Germany, Italy, Spain, and Sweden.

Most recently, the members of the Five Eyes Alliance issues a warning that alleges China had found a way via a team of hackers known as Volt Typhoon to compromise critical communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education services around the globe, including U.S. naval installations in Guam.

If it makes sense for countries to share cybersecurity intelligence it stands to reason organizations should similarly follow suit. Many organizations have historically been reluctant to share cybersecurity intelligence for fear of disclosing a weakness that might be exploited by cybercriminals. However, it’s pretty apparent that cybercriminal organizations are actively sharing not just intelligence but also tactics and techniques. Organizations that share cybersecurity intelligence clearly at this point have a lot more to gain than they might possibly lose.

Many organizations, of course, have been informally sharing cybersecurity intelligence with others, including government agencies, for years but the time has come to make the sharing of that intelligence a regular occurrence. The challenge is the disclosure of that intelligence needs to be able to occur in a way that doesn’t result in an organization being fined for violating a compliance mandate. Organizations that contribute cybersecurity intelligence are almost by definition exercising a level of due diligence that indicates they take the issue seriously enough to not be deemed as reckless. As such, any penalties assessed would appropriately be of the most minimal. Otherwise, organizations will continue to hide in the shadows simply because the financial risks associated with trying to do the right thing remain too high.