The National Cybersecurity Strategy, released in March, calls for technology providers to assume more responsibility for maintaining the security of computer systems, rather than have individuals and small businesses shoulder the risk. But there's another potential equalizer that, if done right, can help organizations get a leg up despite having fewer resources than large companies: public-private information sharing.

Effective and efficient public-private collaboration can help democratize information and strengthen the security posture of all companies, regardless of size. Today, most cybersecurity is built for the one-percenters of the tech world, who have the financial resources and cybersecurity staff and expertise to defend and mitigate with relative ease compared with smaller companies without those resources. Yet, when the bigger companies get hacked, they effectively pass along the costs of a breach to their customers. The same attack on a smaller organization can destroy its business. Shifting the cybersecurity liability will help repair the trickle-down cost burden, but better information sharing will level the cybersecurity playing field across the industry.

Exchange of Information

The 2015 Cybersecurity Information Sharing Act (CISA) has increased the amount of exchange of cyber-threat information between the government and the private sector. Private companies report cyber incidents and the government shares cyber-threat information. While some private organizations are hesitant to share information either out of legal or regulatory concerns or worry that it may be misused, security vendors and researchers are more motivated to participate.

The government invites security researchers to collaborative working sessions on a regular basis to swap threat intelligence, but the groups tend to be exclusive and limited to the big vendors. The argument is that working with fewer but larger vendors will minimize the chance of leaks while protecting the most people because they'll have more threat intel to share. But I would argue that making the research collaborations more inclusive would not only level the playing field among vendors but also increase the diversity of threat intel sources and apply more human expert intelligence to the problems. The industry will have better defenses collectively if it is less siloed with its information-sharing processes.

Security researchers understand this and are sharing information and resources on a grass roots level. Offensive "red teams" are applying their knowledge to defensive "blue team" activities. And researchers are helping each other make better use of tools like YARA, which was created to enable malware research. Researchers are swapping information about pattern detection in malicious files that other researchers are testing out. They even organized a "#100daysofYARA" campaign on Twitter last year to challenge more people to learn new techniques for creating YARA rules that everyone can benefit from. Security researchers are also releasing projects on platforms like GitHub for others to benefit from. This strengthens the ecosystem and advances the field of learning in a space where attackers have the clear advantage.

The National Cybersecurity Strategy also suggests technology solutions to enable collaboration and data exchange for defensive efforts. Specifically, machine-to-machine data sharing and security orchestration can complement human-to-human collaboration efforts to drive threat response at machine speed, the plan advises.

Overwhelmed by Data

I support that approach, with a caveat. I find that most organizations are drowning in data and struggle to operationalize their threat intelligence effectively now. Therefore, the solution isn't necessarily to increase the volume (although that can help in some cases), but to enable businesses to analyze it and make it actionable. A good analogy is the atmospheric storms that have dumped record amounts of rain on drought-stricken California. At a certain point, reservoirs overflow. The state needs the right resources and infrastructure to manage the influx and retain it properly for long-term use. For security, organizations need the right people, processes, and technology to be able to operationalize threat intelligence at scale.

It's heartening to see the Biden administration make such a bold plan and call-to-action to address the cybersecurity issues that put our country at risk. Public-private information sharing is critical to enable organizations, private businesses, and government to protect the data and systems our economy and public safety rely on. For the efforts to be even more effective, the collaboration needs to be inclusive and representative of the security industry as a whole.