What does it take to cooperate in cyber-security

Cooperation is “the process of groups of organisms working or acting together for common or mutual benefit, as opposed to working in competition for selfish benefit” (Wikipedia).

Thus, mutual benefit seems to be the key ingredient here. Nevertheless, identifying the mutual benefit appears to be an issue in cyber-security (and other fields, for that matter) as the level of cooperation still seems to be quite low, even after more than 15 years of global awareness in the area.

The year 2017 has been a cornerstone in cyber security. The WannaCry and Petya/NotPetya attacks have clearly demonstrated that cyber can easily cause disruptions with strong impact in real life to a large part of the world population. Moreover, earlier attack types like Stuxnet have demonstrated a disruptive capability but only when focused on specific targets and as a result of serious investments. On the other hand, these attacks have clearly demonstrated that everything is possible in cyber and we need to be prepared.

Cooperation plays a big role when it comes to being prepared for cyber attacks. Even if you just rely on different types of solutions deployed within your corporate environment, you can be sure that most of them are using some sort of threat intelligence feeds that have been built based on different types of cooperation agreements that the vendor has.

Cooperation in cyber security  is indeed a very broad term, therefore, for the purpose of this article I am referring to the following:

  • cooperation with partners in case of incidents/attacks: sharing data with industry partners, sharing data with customers so that they can determine impact and act quickly, sharing data with national authorities so that potential disruptive situations can be avoided.
  • partnerships with similar players/competitors in the industry for exchanging best practices on a regular basis: some initiatives are described below, and their number continues to grow.
  • transparency as regards publicly reporting cyber-incidents/attacks: if you offer digital services on which many customers depend, being transparent about any kind of issues with your service is becoming a requirement in many countries. Partners that depend on you, need to be aware of any kind of issues that may affects their activities.

Cooperation is not something new in cyber. We have been discussing about it for at least 10-15 years now, and to be honest, several communities have reached a satisfying level of cooperation. Nevertheless, as cyber-security has become a global issue, it is becoming obvious that we need more of it and at many more levels.

When it comes to CERTs/CSIRTs environments and LEA (law enforcement agencies), cooperation comes as a prerequisite. Achieving results within these communities is strongly related to having as many partners as possible. Here, activities are based on intensive exchange of IOCs and coordinated actions etc. Usually, cooperation in this area appears when there is a strong mutual benefit for both parties, such as taking down a botnet or other type of malicious resource. There are multiple examples of such cooperation initiatives worldwide. [2][3][4][5]

Financial Services Information Sharing and Analysis Center (FS-ISAC), is “the global financial industry’s go to resource for cyber and physical threat intelligence analysis and sharing”. FS-ISAC acts as an information sharing hub between different financial organizations across the world and offers different kinds of services from physical meetings to threat intelligence feeds. This is a clear example of cooperation within one vertical industry sector, which is finance. This article will give you more insights on other types of ISACs worldwide. As you will notice we don’t have so many of them and we don’t know exactly how efficient many of them are.

Other sporadic cross-industry cooperation initiatives include ICS-CERT, a national state sponsored initiative in the USA that serves all industry sectors relying on Industrial Control Systems (ICS). All in all, that is it, nothing more! You may find out there other initiatives on national or regional level for sectors such as finance, transportation or eHealth, but nothing concrete, with tangible results.

Usually specialized organizations, acting in cyber security area, rely on multiple partners so as to cover the many pillars where cyber can have a serious impact. In this respect, it’s common to see partnerships with technology vendors, cyber insurance companies, law firms specialized in privacy and data breaches, so as to cover the full chain of possible client needs in terms of cyber security. You can find a good example in this area here, from Secureworks, a global leader in managed security services and the company that I currently work for.

So, we might conclude that we do have a certain level of cooperation in cyber security, but mainly at national level and, to a lower extent, at sectorial levels, but only in certain sectors. Specialized cyber security vendors or service providers are usually characterized by a strong policy in this area.

Short analysis

If we turn to game theory we might have a reasonable answer from the classic prisoner’s dilemma. Intensive research done on this topic showed that “the only possible outcome for two purely rational prisoners is for them to betray each other”[1], because this option offers the greatest reward. For cooperation to emerge between rational players, the total number of rounds played, must be unknown to the players. In the iterated version of the prisoner’s dilemma betraying may no longer be a strictly dominant strategy, but only in certain circumstances. Among results shown by Robert Aumann in a 1959 paper, rational players repeatedly interacting for indefinitely long games can sustain the cooperative outcome.

So it could be that it is in our nature to go for the greatest reward, no mater what the consequences upon the others. More details on the topic can be found here, this resource being one out of many interesting research papers out there. According to the source, social cooperation (as any other social dilemmas) can be defined by three characteristics (Dawes, 1980; Messick and Brewer, 1983; Yamagishi, 1986):

(1) a non-cooperative choice is always more profitable to the individual than a cooperative choice;

(2) a non-cooperative choice is always harmful to others compared to a cooperative choice;

(3) the aggregate amount of harm done to others by a non-cooperative choice is greater than the profit to the individual.

So, the non-cooperative choice will harm the others and the amount of harm done is always greater than the individual benefit. And the research continues with the identification of two classes of variables that influence cooperation in commons dilemmas: individual differences (social motives, gender) and situational factors (payoff structure, uncertainty, power and status, group size, communication, causes, and frames).

Cooperation is mostly important in cases of incidents/attacks or when it comes to incident management. Sharing details of a breach is firstly a moral thing to do against your clients, as they might also be impacted by your loss. Secondly, it can also support other similar companies that might be in the same position. Breach disclosure done at the right time and with the right means can minimize the total negative impact towards potential affected parties. Nevertheless, it is in these situations that affected parties try to maintain their current level of benefit by concealing any potential impact that the incident has had. Vendors affected by  a breachwill usually try to reduce any negative reputational damage, so the amount of shared info will be reduced to a minimum, as well as the number of sharing partners.

But in the light of last year’s developments, things are prone to change. The WannaCry and Petya/NotPetya attacks demonstrated the clear need of cooperation at multiple levels. Solving the crisis of last year engaged a lot of stakeholders that needed to work together to solve a problem (vendors, researchers, governmental agencies etc.). It was this cooperation frenzy that helped many organizations recover after the crash and ultimately made available to the public some free decryption tools. Following the principle of “never let a good crisis go to waste” we might assume that the industry (and not only) has learned a valuable lesson from these events and will be better prepared form the next one.

ESET’s senior researcher, Stephen Cobb, provides a very good insight, from the RSA 2018 Conference, on how big players view the current situation: “[…] reading between the lines at I got the sense that there is a growing realization within the industry that working together in the way we have been doing so far might not be enough”.

Conclusion

So, non-cooperation has become clearly visible, even at the highest levels, and response strategies have started to be drafted.  One notable move is the new Cybersecurity Tech Accord, which had their first meeting during the above mentioned conference. The accord was signed between 34 global technology and security companies that agreed to “defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states”. Nevertheless, some time has to pass until we can see some tangible results or we can really assess the usefulness of this accord.

Boosting cooperation in cyber-security is a must. We need to properly face all new types of threats and cooperation can lead organizations one step further in their struggle. Nevertheless, we need to reach beyond our conservative basic need of pursuing the fastest reward and go for the type of reward that can bring benefits to multiple players. But struggling with our own nature can be difficult, therefore various types of measures can be taken to leverage this kind of mind switch:

  • Wider international adoption of mandatory incident reporting policies: following the example of the EU Network and Information Security Directive, mandatory incident reporting at national levels should be encouraged, but not grounded. A comprehensive view upon the types of incidents affecting a particular industry within a country can facilitate the adoption of proper public policies. Being aware of the extend of a phenomenon is never wrong.
  • Encouraging international public policies for information sharing in cyber security. As organizations tend to follow their own benefit without considering the overall harm done at other levels, public policies in this area must encourage information sharing and it’s benefits to different ecosystems
  • Adopting international treaties to regulate activities in cyber-space: a good view on this topic can be found here.
  • Supporting industry ISACs or other means of sharing information within industry sectors.
  • Support public private partnerships: as most of the products and infrastructure are private, their involvement is more than necessary, at any level.

The above list is of course non-exhaustive, so please, feel free to contribute in any way if you feel the need.

 

P.S. Blog post initially posted on the 15th of May 2018. Reedited and republished 31st of January 2019.

Post available also on:

https://www.linkedin.com/pulse/what-does-take-cooperate-cyber-security-dan-tofan/

https://medium.com/@tofandan/what-does-it-take-to-cooperate-in-cyber-security-3921e9c0eece

 

 

References:

[1] https://en.wikipedia.org/wiki/Prisoner’s_dilemma

[2] https://www.scmagazineuk.com/europol-calls-for-cooperation-on-darkweb-and-iot-use-by-criminals/article/701636/

[3] https://www.nomoreransom.org/en/partners.html

[4] https://www.europol.europa.eu/newsroom/news/law-enforcement-and-private-sector-join-forces-to-shut-down-illegal-streaming-network

[5] https://www.europol.europa.eu/newsroom/news/botnet-taken-down-through-international-law-enforcement-cooperation

Tagged , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *