As the interconnectedness of our society in cyberspace has grown exponentially, virtually every aspect of industry has become dependent on cyber networks and therefore on network security. This interconnectedness has increased the need for shared risk, and today communities of organizations must work more collaboratively. But many question -- is it really possible to do this? I would argue that it is possible, and there is progress in the crowdsourcing of cyber security.
Sharing expertise and threat intelligence within the "commons" -- resources affecting an entire community -- enhances the ability of the good guys to respond to the bad guys. Rather than operating in isolated silos, the "sharing" -- sourcing from the crowd -- enables a collective defense that, though not tipping the balance totally in favor of the good guys, certainly improves the potential for a more powerful defense.
The challenge, of course, is how to source from the crowd when trust and transparency are the watchwords of cyber security. How do you ensure the veracity of submissions ("attribution"), represented as the work of good guys and not a potential "Trojan Horse," in a world where anonymity is the norm and may in fact be a legal requirement? How do you establish an audit trail of accountability to ensure trust and transparency? How do you create an incentive system that rewards contributions from the best and brightest?
The "how" is a work in process, but there are three active representative efforts that hold promise for harnessing the creative skills of the broader cyber community at least to raise the barriers against cyber attacks.
Special interest collaborations
Groups of like-minded organizations and individuals are coming together for collaboration around a specific threat or within a defined community.
The Conficker Working Group was formed in late 2008 by a coalition of security researchers for the express purpose of pooling intelligence and expertise to defend against malicious Conficker malware. The effort was noteworthy, not only for its effectiveness, but also for the unprecedented cooperation between private and public-sector organizations and individuals from around the world.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) was launched in 1999 prompted by a 1998 presidential mandate to share information about physical and cyber security threats and vulnerabilities among the public and private sectors in order to protect the US financial community and its critical infrastructure.
FS-ISAC represents a community of trust where the organization continually collects, analyzes, vets, and disseminates relevant threat intelligence to its participating members. This was initially a US-focused effort, but in 2013, the FS-ISAC board of directors approved a charter amendment allowing for the sharing of information with financial organizations around the globe. Its recently completed Critical Infrastructure Notification System (CINS) allows the organization to speed security threats and alerts to multiple recipients around the globe nearly simultaneously while providing for user authentication and delivery confirmation.
"White hat" hired guns
For a number of years, leading technology companies such as Google, Facebook, and PayPal have managed programs where qualified white-hat hackers (and, in some cases, employees) work to detect product and network vulnerabilities in exchange for bounties. These programs have worked not only by internalizing the cat-and-mouse game of cyber attacks in a controlled environment, but also by providing a financially viable alternative to criminal activity for young engineers who are attracted to the technology challenges of hacking but might otherwise be drawn to the "dark side."
A team of former NSA researchers recently formed a Silicon Valley company called Synack. It responds to the rapidly growing community of corporations that want to find a trusted way to source the creative ability to identify and isolate vulnerabilities in their infrastructure but lack the resources and expertise to manage a highly vetted process themselves. Building on extensive career experience, the Synack team has created a network of hundreds of vetted and trusted cyber engineers who are made available to clients for vulnerability remediation on an ongoing subscription, leveraging a "pay for success" model. To ensure trust, Synack actively monitors its community of analysts. The financial services, healthcare, and e-commerce industries are among the early adopters of Synack's Crowd Security Intelligence offering.
Shared threat intelligence
A number of companies, such as AlienVault, Threat/Stream, and CloudFlare, collect threat intelligence from a spectrum of sources and package it for distribution to customers, often as part of an integrated security management platform. Through the collection, aggregation, and vetting process, these vendors look to impart trust to the intelligence they share, which would otherwise come with little transparency. Once again, the intent is to facilitate the sharing of experiences and knowledge within the user community, enabling agility and compressing time to discovery for cyber threats.
There is a great deal of interest in, and activity around, delivering on the full potential of crowdsourcing in meeting dynamic and rapidly evolving cyber security threats. At the same time, it's wise to note that our cyber protagonists have always been at the leading edge of innovative techniques for identifying, harnessing, and directing engineering creativity to achieve their nefarious objectives. In this regard, crowdsourcing may simply be another front in the cyber security wars.