No sharing without safeguards

It's tempting to believe (and an impossible goal that, nonetheless is worth striving for) that all sharing of security information should be completely open and in the public. The reality, of course is that some information, at certain critical moments, is considered too sensitive to share, and that insisting that there should only be public sharing means ultimately that vital information won't be shared.

That was part of the philosophy behind the UK's National Cybersecurity Information Sharing Partnership (CiSP). CiSP needed a platform which had specific controls in place to ensure that maximum amount of sharing, to the widest extent possible.

The key controls which the CiSP needed, as was highlighted by Dave Cartwright in his feature in the Register, are:

• "A rigorous sign-up process (not just anyone can have access)" - so you need to have credentials to authenticate yourself to the trusted environment - it isn't just a glorified website.
• "Facilities for either showing or hiding your identity when you post" - allowing people to share on the record, but also to hide their identify from most users (although not the admins)
• "A tightly defined system for categorising posts based on their sensitivity from "red" (disclosure of which is restricted very tightly) through "amber" and "green" to "white" (freely distributable with some simple caveats such as respecting copyright)." - the Traffic Light Protocol (TLP).

Each of these, in addition to the ability to share information within smaller access-controlled groups is entirely necessary to encourage the widest sharing of information.

Information about vulnerabilities, breaches and incidents, along with threat analysis and investigation work, will all contain highly sensitive information. Individuals and organisations simply won't want to share that if they don't have some sense that there is control or knowledge of who is going to receive that information and what they might do with it.

Some CISP member organisations only allow their people to share information if it is anonymised as a matter of policy. If anonymity wasn't available on the platform, that information would not be shared.

The Traffic Light Protocol (TLP) was developed and used in information sharing of sensitive information, particularly amongst the Information Exchanges which represent the key players in our Critical National Infrastructure (CNI). So fundamental is this, that it has gone on to become a Standard which is managed by FIRST and is used globally for cyber security information sharing. Again, without the ability to express the rules about who can do what with the information which someone shares, they aren't going to share that information.

Without the controls as implemented in CISP, nothing but the most basic information would be shared. When the information is no longer sensitive, and can be openly shared, it is too late for the sharing to have an impact in preventing cyber threats.

So, paradoxically, to encourage the widest sharing possible, those sharing need to be confident that there are safeguards, and those, ultimately benefit all of us.