Alan Paller, director of research at the SANS Institute, says the desire of some companies to sell cyber protection products makes the sharing of information about cyber crimes more problematic. (SANS Institute)
WASHINGTON — As the defense industry sorts out the complications of information sharing and improved cyber protection, it might turn to another sector thought by many experts to have the best security in the US: financial firms.
It may not be surprising that financial groups effectively protect their networks; a successful attack could cost a company millions, if not billions, of dollars. That drove financial firms to launch an industry information-sharing initiative in 1999, creating one of the better repositories of information on attacks and attackers in the world.
Defense companies normally don’t face that kind of risk. If an attacker breaks in and steals fighter jet designs, the company probably won’t lose any money because it is unlikely the company would have been allowed to sell the fighter to the attacking nation.
But what financial industry insiders point to is that the collective need for protection has overwhelmed the natural distrust and competitiveness of the individual companies.
“Within financial services, security and cyber issues have really become a noncompetitive issue,” said John Carlson, executive vice president of technology risk at BITS.
Carlson, speaking with Lilly Thomas and Brian Peretti at a recent Atlantic Council event, said the cooperative spirit does serve as a bit of an outlier.
“That’s not necessarily the case in the IT community more broadly, with security firms that are competing very aggressively for marketing products and services. But within financial services, there is a sense that we need to share information, we need to collaborate,” he said.
What has made it difficult at times for defense companies is that beyond the need for protection, many are also trying to sell protection services. Nearly every major defense contractor has a stated goal of growing its cyber business, often marketing their products as having superior intelligence on the threat environment.
“If they can say that they’re the ones who understand threats to the defense industrial base, they can sell a product,” said Alan Paller, director of research at the SANS Institute.
Despite that desire, the US Defense Department has leaned heavily on contractors to share information with the Defense Cyber Crime Center. But sources and experts have said that the quality of the data provided was modest, with companies withholding what they could.
“They didn’t want to make the central sharing database good, because they wanted to offer it as a service as well,” Paller said.
There’s also the issue of trust. The most prominent initiative to increase information sharing was the Defense Industrial Base cyber pilot program. That program, while slow to get going, eventually started to yield better intelligence, according to sources. But as soon as the program’s control was transferred from the Defense Department to the Department of Homeland Security in 2012, companies became increasingly fearful of leaks.
That lack of trust has been one of the reasons industry has pushed for new legislation to protect companies that share information. Such legislation has passed in the US House, but has yet to be voted upon in the Senate, which has focused on more comprehensive legislation.
But in the financial world, a level of trust has developed, Carlson said.
“They have to have trust.That is a critical element of this,” he said. “They may not even have agreements amongst themselves to protect the information, but they trust one another and are willing to take the risk.”
The ability to get and share that data from companies is crucial because government, despite concerns stoked by the Edward Snowden disclosures, doesn’t have effective visibility on all of the company networks.
“If you just look to us, for government to tell you how the next attack is going to come, that’s probably not going to be the most effective, because we don’t see all the attacks,” said Peretti, acting director of the Office of Critical Infrastructure Protection and Compliance Policy at the Treasury Department.
The Defense Department is trying to set up a public/private mechanism for information sharing, but it has hit some bumps along the way. In January, the Government Accountability Office sustained a protest to a $26 million contract to provide support for the new DIBNet, citing a failure by the Defense Information Systems Agency to “reasonably evaluate” the virtues of alternative bids. That deal will be recompeted in the coming months.
Other contracts for DIBNet have been less contentious, with several going to the cyber behemoth Booz Allen Hamilton.
Paller said that it takes time to convince participants to give up meaningful information, citing one English group’s experience.
“For the first five meetings, people just sat there and just absorbed information, but by the sixth meeting, people opened up completely,” he said. “If there is a reason to trust, a really strong reason to trust, sharing can happen.”
For defense, there’s the complication of working with a complex industrial base that includes many smaller companies, some of which might not have the best security practices. One suggestion has been to create minimum standards for security.
Such standards exist in the financial sector but can be a burden, according to Lilly Thomas, vice president of Independent Community Bankers of America, an association of smaller financial institutions.
One big problem is that these institutions have to rely on third party vendors because having a private security team is expensive, Thomas said.
Defense and the financial sector share some common problems, but cooperation has proved to be the greatest tool the latter has used, according to Carlson, something that might be needed in defense.
“In response to the increasing cyber threat, the financial services sector has really worked much more closely together,” he said. ■