NEW YORK -- The necessity for greater cybersecurity information sharing was stressed by speakers from academia, government and finance, Friday, at the Conference on Internet Governance and Cyber-Security, held by the Columbia University School of International and Public Affairs, in collaboration with the Global Commission on Internet Governance (GCIG).
"It all starts at the bar with a beer," said keynote speaker Gregory Rattray, Global CISO of J.P. Morgan Chase. "It starts with a limited number of people who trust each other."
Rattray explained that information sharing works best from a bottom-up, not top-down approach, and said that technical people can break down borders that people in government and business cannot. He gave the example of when he worked at ICANN during the spread of Conficker. Network operators in different countries were able to reach across those borders, he said, when other people failed.
The financial sector is improving info sharing, via the FS-ISAC. Beth Petrie, director of intelligence analysis for Citigroup Information Protection Directorate, said that cybersecurity is seen as a non-competitive area, which encourages sharing.
Yet Steven Bellovin, professor of computer science at Columbia University's School of Engineering, says that there is still a lot to be improved about the kind of knowledge that's actually being exchanged. "We don't learn as professionals how the defenses failed," said Bellovin. "That is the kind of information that would be useful."
The problem, in a nutshell, is "How do you share trust in a low-trust environment?" said Paul Bracken, professor of Yale School of Management.
Bracken also suggests that organizations conduct incident response war games to test how they're going to react when a successful attack occurs. He's led war game exercises as a consultant at other organizations. "The word that comes to my mind is 'panic.'" he said. "They don't know what to do, so they default to the CISO and Legal."
Lou Modano, senior vice president and global head of infrastructure services for NASDAQ said that the stock exchange has "set the bar very high with [war] gaming." All the CISOs in exchange share information and conduct simulations, said Modano.
On another twist on information sharing, Michael Chertoff, GCIG Commissioner and former secretary of the U.S. Department of Homeland Security, commented on the recent "no-hack pact" between Russia and China. Chertoff said he thinks if China sees intellectual property in Russia of value, they'll still steal it. "I view it as an opportunist relationship," he said, "not one that's enduring."
"All conflicts going forward will have a bizarre consumer impact." Kevin Mandia