Fasoo executives participated in a summit at the University of California San Francisco (UCSF) on April 20, 2015 that brought government and industry together to discuss how to develop and implement information sharing organizations to thwart cyber attacks. PwC sponsored the 2015 ISAO Cybersecurity Summit as part of a process to develop implementation recommendations for The White House in the wake of President Obama signing a cybersecurity information sharing Executive Order (EO), “Promoting Private Sector Cybersecurity Information Sharing“, in February 2015.
The EO is to encourage the voluntary sharing of information on cybersecurity risks and incidents between private companies, nonprofits, federal departments and agencies and other entities and to collaborate to respond to incidents “in as close to real time as possible,” a lower standard than real time.
Information sharing at this level has been occurring for a number of years through existing Information Sharing and Analysis Centers (ISAC). These are focused on specific industries, with the financial services ISAC being mentioned frequently during the summit as an example of success. The Information Sharing and Analysis Organizations (ISAO) intend to provide a broader and more flexible means of sharing information since these groups could be cross industry, regional or even defined by a supply chain.
Michael Daniel, Special Assistant to the President & Cybersecurity Coordinator at The White House, mentioned the three main areas of focus of cybersecurity efforts and the intention of the ISAOs.
- Make the US more secure
- Disrupt hackers and other bad actors
- Enhance responses to inevitable incidents
A lot of the discussion centered around mechanics and potential issues with good information sharing. Currently organizations share threat indicators with each other and government agencies in an attempt to collectively prevent cyberattacks and the inevitable disruption in business operations. This can be malware files, originating IP addresses and activities within a network that are out of the norm.
As information sharing increases, the General Counsel of many organizations will get involved because of potential liability, privacy and regulatory issues. Since many attacks are on large, global organizations, you can quickly see the challenge in navigating industry, state, federal and international laws that affect sharing of information. For example, if a US company with operations in Europe wants to share information with US companies and the government, they need to take steps to ensure that no EU laws are broken.
Bil Blake, President of Fasoo USA, brought up the point that the inevitable cyberattack is going after the most important information inside a company. “As data breaches from healthcare, manufacturing and retail sectors have shown us, the attackers want to steal information that typically benefits them financially. Whether it’s a health record or intellectual property, people want to sell information that will benefit the buyer. This could result in identity fraud in the case of health information or a knockoff product that could easily undermine an established brand.”
Ron Arden, Vice President and CMO of Fasoo USA, during a discussion mentioned one way to thwart the activities of bad actors. “Since we know that frequent threats are from trusted insiders, organizations need to ensure that someone can’t use the data they exfiltrate. If you encrypt data at the time of creation and control it through dynamic security policies, revoking access to that information in real-time can prevent an unauthorized user from accessing the information. They may have the files, but they can’t use them. The next time the attacker will choose an easier target.”
The most important take-away from the PwC summit was that government cannot do this alone. The private and public sectors must pool resources to be able to share intelligence at machine speed. People cannot analyze and act quickly enough to stop these attacks, since they are automated and increasing more sophisticated.
Protecting an organization’s most important data through a multi-layered security approach is still the best way to stop the inevitable data breach and reduce your risk.