Competitors in many industries quietly cooperate when it makes sense, even if it’s only by establishing and adhering to standards. Just think what the world would be like if each car manufacturer decided where the brake and accelerator pedals would sit, or which side of the vehicle the steering wheel would be on. It would be virtually impossible to change cars, or, for that matter, to properly license drivers.
Imagine, too, how confusing (and expensive) it would be if every electrical appliance or device had a different plug configuration, and we had to accommodate them all. It just wouldn’t work. There are times when even the fiercest competitors have to agree to play nicely together for the sake of their industry.
Cyber security has long been a rather fragmented field, with companies clinging to information as a competitive advantage. While individual researchers do realize the benefits of sharing, the industry as a whole hasn’t done much to formalize cooperation, until now.
At the annual RSA security conference, multiple vendors, as well as government bodies, used their precious keynote time to talk about challenges facing the industry, and to call for industry collaboration to help safeguard digital – and physical – assets.
Why? Because, let’s face it, the bad guys have the advantage. They only have to be right once to succeed in an attack, though they may take shots with multiple cyber-weapons to get that single hit. Defenders, on the other hand, have to be right all the time; one oversight could create the chink in the armour that lets the cyber-crooks through corporate defenses.
“Cyberspace is the new battlefield,” said Microsoft president Brad Smith. “It’s a different kind of space. Cyberspace is us.”
What did he mean by that? Think about it – the Internet is owned and operated by the private sector, not by governments, and, he pointed out, the tech sector, not a government agency, is the first responder to any attack. Yet the attackers may be commercial criminals, or they may be nation-states, which, Smith said, effectively means that nation-state attacks have become attacks on civilians in times of peace.
“It’s not what the inventors of the Internet envisioned,” he said. “But it’s the world we live in.”
Chris Young, senior vice president and general manager of Intel Security (and soon to be CEO of McAfee when it spins off in April), is also worried about the growing attack surface, which has moved first from individual computers to the data centre, then to the cloud, and now to the home. And with the growth in work-at-home, and the number of devices being connected to both home and corporate networks, the home has a big, fat target painted on it.
“We have to reorient efforts around the home,” he said. He said that today, most companies still aren’t there; they try to drive behaviour through policy and hope people do the right thing. People being people, they often don’t.
Yet nobody exists in a vacuum – the security of the person next to you affects you in our hyper-connected world. And every RSA keynoter agreed that no one company can go it alone. The threats are just too pervasive, and too big.
That’s why the industry has to pull together to develop methods of detecting threats, protecting users from them, and remediating when bad things inevitably happen.
There are three things the industry collectively has to do, Smith said. First, companies have to do more individually. Microsoft, for example, is doing things like working with the industry to protect email, since many intrusions begin with a phishing email, and its Digital Crimes Unit collaborates with law enforcement and others to take down criminal activity.
Second, he said, we need to call on governments to do more. With the proliferation of crime crossing national boundaries, legislation and law enforcement needs to catch up. He envisions something like what happened in Geneva in 1949, when governments came together to agree on the fourth Geneva Convention, and more recently, when the G20 endorsed an agreement to put intellectual property theft out of bounds.
Thirdly, he said, “We need to sign our own pledge in conjunction with the world’s states. The tech sector needs to be a digital Switzerland.”
The industry has already made a start. In 2014, Fortinet and Palo Alto Networks founded a cyber defense consortium to drive a coordinated industry collaboration on threat intelligence. McAfee (which then became Intel Security, and is returning to the McAfee name in April) and Symantec joined the Cyber Threat Alliance (CTA) a few months later as founding members, and the next year three contributing members, ReversingLabs, Telefonica, and Zscaler came on board.
It worked. In 2015 the group collaborated to crack version 3 of the CryptoWall ransomware, and the next year it released an analysis of version 4 of the same malware.
In February 2017, the Alliance was formally incorporated as a not-for-profit entity, hired its first president, and added Cisco and Check Point as founding members. Three new affiliate members, RSA, IntSights, and Rapid7, also jointed the alliance.
With the incorporation came its corporate purpose as a not-for-profit: to share threat information in order to improve defenses against cyber adversaries across member organizations and protect customers; to advance the cybersecurity of critical IT infrastructures; and to increase the security, availability, integrity and efficiency of information systems. The group is also working to develop and disseminate security best practices.
CTA’s first project as a standalone entity is the development and rollout of a new, automated threat intelligence-sharing platform that enables members to integrate real-time, actionable intelligence into their products to better protect global customers.
To help with those efforts, Intel Security has open sourced its Data Exchange Layer technology that allows security products to pass information to each other, so each product can participate in a workflow that addresses various components of a security threat. The first public demonstration of OpenDXL at work occurred last fall at Intel Security’s FOCUS conference, with five competing products seamlessly exchanging information and creating a workflow.
These efforts go to show that it’s possible to collaborate and compete at the same time, with everyone winning. It’s not the ultimate solution, but it’s a good start.