Two Harvard University security researchers have developed a model showing that enterprises that share their sensitive data about network attacks and security breaches are less attractive targets and, hence, less likely to be attacked.
The paper, to be presented later this month at the Financial Cryptography conference in Gosier, Guadeloupe, supports the U.S. governments contentions about the importance of sharing attack data. But it also concludes that many of the benefits that can accrue from such an arrangement wont be realized soon.
"I absolutely believe that theres value in information sharing, and I think that value will grow," said Stuart Schechter, a doctoral candidate in computer science at Harvard, in Cambridge, Mass., and co-author of the paper. "I think the change [toward information sharing] will be driven by insurance companies, who will offer lower premiums for companies that share."
Schechters paper, written with Michael Smith, a professor of computer science and electrical engineering at Harvard, asserts that attackers exploiting vulnerabilities in off-the-shelf software will be less likely to attack a particular company if that organization is known to share attack data with other enterprises and/or the government and law enforcement. The reason is that attackers who spend time, and in some cases money, finding and exploiting vulnerabilities in common applications will not want information about their attacks shared, as it would reduce their chances of compromising other potential targets.
Government security officials in recent months have talked often of their desire to gather more attack data from enterprises. Presumably, the information the government would gather would be analyzed and then passed to the general public to warn of ongoing attacks and potential threats.
The next draft of the National Strategy to Secure Cyberspace, due early this year, is expected to include language encouraging CIOs to forward more information to the government.
But not everyone agrees with the governments proposal.
"There are better ways to do that than requiring it," said Mark Rasch, senior vice president and chief security counsel at Solutionary Inc., a security vendor based in Omaha, Neb. "What they need is incident data, and the problem there is that it generally requires a person to recognize the attack and make the decision to share the information. It could be set up in an automated way, but the government would have to fund it, and the political question is the level of the governments involvement. What will they do with this data?"
And that is what concerns enterprises most. Security specialists and CIOs worry that sharing sensitive data with anyone, especially the government, will expose them to embarrassment and potential lawsuits from customers.
"How about sharing the technical details of successful intrusions in a more public way, via an organization that would be perceived as neutral? Perhaps an additional role for CERT [Coordination Center], SANS [Institute] or even BugTraq—an expansion of the way we now share reports of vulnerabilities in specific products," said Karl Keller, president of IS Power Inc., a custom software developer in Thousand Oaks, Calif. "No new bureaucracy need arise. The victim could remain anonymous. What is important is the publicity for infrastructure-specific vulnerabilities and countermeasures. Thats an extension of the present component/vendor-specific vulnerability and patch reporting were used to."
SHARE AND SHARE ALIKEConclusions of the forthcoming Harvard paper:
"Its kind of a mess right now. No ones said whos going where and whos doing what," said one government security employee, who asked to remain anonymous.
A current version of the national strategy making the rounds in Washington is short on details and recommendations and long on broad policy pronouncements, according to people with knowledge of the document. Despite the governments fondness for information sharing, dont expect to see any mandates along those lines, sources said.
"There will be a lot of rhetoric about it because thats one of the few things that we can actually do," Rasch said. "Its impossible for [the government] to set a standard of care in this area because they dont do it themselves. They talk about leading by example in there, but thats not happening."