Report: Industry eager to receive, hesitant to share cyber threat data

More than a third of private sector cybersecurity professionals remain hesitant to share cyber threat intelligence across their industries, even as a reciprocal measure, and only a minority actively participate in information sharing initiatives, according to a new survey.

The survey of 500 security professionals from many different industries and businesses, released Tuesday by McAfee Labs, showed that only 42 percent are actively engaged in private-sector cyber threat intelligence sharing initiatives, which involve the exchange of information about threat actors, exploit targets and attack techniques. While 8 out of 10 surveyed were aware of cyber-threat sharing initiatives and 91 percent said they would be interested in receiving information relevant to their industry, only 63 percent said they would be likely to reciprocate by sharing their own intelligence.

According to the report, companies not engaged in threat-sharing initiatives are missing out on a critical security asset: among the 42 percent of surveyed personnel currently engaged in information sharing, nearly all of them  — 97 percent — indicated that the information was either valuable or very valuable to their organization.

“Security best practices dictate we push any threat as far as possible from the target. By using [cyber threat intelligence], security teams look to not only stop each attack as it happens, but to also get a better sense of who is attacking, what methods they are using, and what their targets are,” states the report. “To do this, we need a bigger picture of what is going on. [Cyber threat intelligence] is key to gaining that level of understanding about the cyber threat.”

The barriers to sharing, according to the report, are rooted largely in policy and lack of understanding: when queried about their hesitation to exchange intelligence, security personnel representing companies that don’t use information sharing said that company policy prevented them from doing so. One in four cited industry regulation as a factor, while another 25 percent expressed interest in the idea but “needed more information.”

“We believe the reluctance to share revolves around a misunderstanding of the type of information offered,” the report states. “When an organization begins to implement a [cyber threat intelligence] sharing effort, it runs afoul of policies that dictate that no confidential data or [personally identifying information] can leave the organization. This is, of course, generally a good policy but the lack of understanding of the content being shared becomes self-defeating in this case.”

The report emphasized the need to to respond to policy by establishing secure exchange standards for the trading of information. It cited platforms such as TAXII, STIX and CybOX, which create definitive channels for passing along sensitive security intelligence, as having the potential to function as a bridge between companies without violating strict security standards.

The report also addressed the legal ambiguity of threat sharing programs. Although there is concern among industry that information exchange will subject organizations to Anti-trust laws, the report points out a set of stipulations in the US Cybersecurity Act of 2015 that specifically exempt cyber threat sharing from such litigation. 

As companies awaken to that new legal framework and the benefits of cyber threat sharing, the walls preventing collaboration will begin to fall, the report concludes.

“Many companies face hurdles to fully realize the benefits of sharing threat data with the community,” the report states. “Some of those hurdles are falling. The use of [cyber threat intelligence] will become a critical component of organizations’ defenses as structured, enriched data will allow organizations to respond more quickly, with a better view of the cyber event landscape.”