Sharing is caring!
For many agencies, the concept of intergovernmental sharing and cooperation is built into government DNA. Take, for example, the concept of mutual aid for fire departments. Our residents don’t care who exactly responds to their medical or fire emergency. Frankly, shared borders make governmental cooperation with one another mandatory. The question is does this mentality exist within your agency when it comes to information security?
What exactly do we mean when we talk about intelligence sharing? Of course, this includes best practices, lessons learned, sharing of strategies, etc.
But what this really means is sharing who is knocking on your network doors, who has gotten in and how did you get them out. Cyberspace is much like outer space – it can get lonely out there if you don’t have a group that has your back.
Before we talk about intelligence sharing, let’s define threat intelligence. According to Gartner, “threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”
In simple terms, it is a source of information that one can use to make good decisions about cyber risk.
The catch is this: The threat intelligence is only as good as the people, processes and technologies used to generate it. It is no different than having a confidential informant who is unreliable, gives you bad information, or gives you great information but after the point that it’s really useful. Threat intelligence is pretty much the same. Some of the most popular threat intel feeds are paid subscriptions by big-name vendors. Conversely, there are free ones out there, but user beware – sometimes you get what you paid for.
Why Share and Target Government?
OK, so if there are different threat intelligence options to get cyber information, why are we talking about governmental intel sharing? A couple of reasons:
- More data, as long as it is accurate, timely and relevant, is always better than less data.
- Threat intelligence can bend is often very specific, whether to a sector (e.g. entertainment, government, etc.), region (e.g. state of Arizona) or agency (e.g. Maricopa County), so why not share it with those who share your concerns?
- Because government agencies interact with other agencies regularly, if one organization gets compromised, chances are good that information about other government orgs will be compromised.
- In addition to above, this information about another agency might lead to cyber attacks on them as well.
- Government tends to get targeted by everyone: nation-state, organized crime, hacktivists, individuals/groups that want to test their skills or generally be disruptive, etc.
- Whether warranted or not, there is a significant amount of mistrust and lack of confidence in government these days which makes us targets of cyber crime.
- As with bullet #2, why not share with those who are likely to see the same sort of attacks and have similar concerns and risks?
So Where to Start?
It doesn’t take complicated or expensive software. Build a relationship with those agencies that you interact with the most. There’s a chance that regional organizations exist, either specific to government infosec services or IT.
In Arizona, there are governmental groups that support both IT and InfoSec. If you are thinking nationally, there are a number of organizations that are considered ISAOs or Information Sharing and Analysis Organizations. The ISAO that specifically supports government agencies is called MS-ISAC (Multi-State Information Sharing and Analysis Center).
Of Note: Here’s where it gets sticky. For a variety of reasons (too many to go into in this blog), there may be reasons why you might be reticent to share information, especially around being successfully “hacked.” Ransomware is a great example. Depending on how severely your agency is impacted, this fact might get out no matter what you do. Even then, you probably want to determine when this is disclosed and how the message is crafted. As mentioned in a previous blog post, trust with your constituents is critical. The bottom line, people and organizations are naturally disinclined to want to share bad news publically.
So how can you share intelligence so that others can protect themselves while being mindful of your org’s needs? In InfoSec parlance you can share intel either in an attributed or an unattributed fashion. Attributed means to link the intel to the organization where it occurred, while unattributed means to provide intel without specifically identifying the org.
In Arizona, many government agencies report suspicious cyber activities or instances of compromise to our state fusion center. The default way that this intel gets reported is unattributed. The salient technical details (which are too numerous to go over in this blog) and the general area of government that the agency belongs to are shared with the government community, and that’s it. So if Maricopa County were to report suspicious cyber activities, the intel would be shared like this: “A local government agency in the state reported…” This way those receiving the intel would have the tech specs and know what sector and type of government agency was impacted. Of course, if your agency is comfortable with disclosing their identity, that is potentially more helpful.
The Future of Intel Sharing
Many agencies are working towards automating the ingestion and sharing of threat intelligence. Why? So we can a) be aware of risks sooner and b) assuming we trust the information, start automatically blocking suspicious behavior before it even makes it into our respective networks and systems.
Additionally, we’re seeing improved communications and overall sharing between federal, state and local governments. With the creation of the Cybersecurity and Information Security Agency (CISA) in 2017 and the increased prioritization of information security in government, we are collectively on the right track.
Thanks for checking out this week’s blog!
Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected] And to read more from our Winter 2021 Cohort, here is a full list of every Featured Contributor during this cohort.
Lester Godsey is the Chief Information Security and Privacy Officer for Maricopa County, Arizona, which is the fourth most populous county in the United States. With over 25 years of higher education and local government IT experience, Lester has spoken at local, state and national conferences on topics ranging from telecommunications to project management to cybersecurity and data. His current areas of professional interest center around IoT (Internet of Things) technology and data management and the juxtaposition of these disciplines with cybersecurity. You can follow Lester on LinkedIn.