From time to time the topic of information sharing comes up in relation to getting security clearances in order to have more open and timely dialog with various government agencies. Having lived in that space for a time I would agree having a clearance would help in having overarching conversations if only because the culture is one that defaults to needing a clearance to have meaningful dialog. The problem comes when I put on more of an incident responder/cyber defender hat. The TLDR summary is the information most useful to cyber defenders isn't who has compromised their environments as much as it is the IOCs and methodologies used to gain entry. This is because we aren't defending a strategic point in 3D space. We are having to defend our organizations potentially from every computer plugged into an ethernet jack or wifi around the planet. Note this post is about why I think having multiple people in your security group cleared is less important that an adjustment in the classification paradigm. This isn't in response to being notified that my company has been breached.
Not to rehash 'cyber warfare' conversations post Aurora but conflict, by whatever definition, in the 5th domain (cyber) is unlike kinetic based conflict occurring especially in domains 1 through 3 (land, air, sea) and less so in space (the 4th). To back up a bit and make gross generalizations the end state of much of the classified intelligence space is ultimately linked to and focused on attribution (aka who's responsible for X so I can go punch them in the throat). Retribution though doesn't happen in the 5th domain - at least at the commercial level. The impasse generally found then is at the government information sharing level where the who is portion marked with the highest classification level because in that world that is the most important piece of information. That trickles down to portion marking the techniques being used and lastly things like specific things like IPs. While the initial response to a breach from management is often "who did this?" followed quickly by "why were we a target?" and the "why's" can and should help shape our defensive strategies/priorities, as a cyber defender at some level I could care less about the answers. Why you ask? Because that information isn't actionable. I'm more interested in the how as it relates to knowing what I should look for and what needs to be fixed. 'How' in this case ISN'T just which IP addresses were used 3 months ago and we are only hearing about this now. It is the full scope of IOCs.
I fully appreciate if the federal agencies openly shared IOCs and TTPs the malicious actors would simply switch how they are doing what they are doing. That said though I don't believe the solution to more and better sharing at the rank and file actionable data level is to get a clearance so we can better operate in the federal space once we are 'read in'. For cyber based compromise notifications adjust the portion marking on the classified documents appropriately allowing companies to better defend and respond /shrug.
No comments:
Post a Comment