Cybercrime is increasing year on year. The 2017 cyber breaches survey shows that almost half of UK firms have been hit by cyber breach or attack in the past year. Yet for private companies there appears to be a severe reluctance to share cyber intelligence and vulnerabilities on platforms such as CiSP (Cyber Security Information Sharing Partnership)
Having worked in both anti-piracy operations and counter terrorism, I know just how valuable intelligence and vulnerability sharing can be.
The reason, I believe, for this reluctance to share intelligence in the cyber sphere, can be found in the age old prisoner’s dilemma.
In the classical prisoner’s dilemma there are 2 prisoners, in 2 separate cells. Both are separately interrogated for a crime that they are both accused of committing. The interrogators speak to them separately and both prisoners get given the same set of options.
Option one: If they both betray each other they will each receive a sentence of 5 years.
Option two: One places the blame on the other and the other stays silent then the betraying prisoner will get off free and the other one will get 20 years.
Option three: They both stay silent. Then they both get 3 months in prison.
Option two, betrayal, can potentially yield the best result so long as the other prisoner decides to stay silent. The fear of being betrayed by the other prisoner and being left with the maximum sentence combined with this potential benefit means that both prisoners inevitably choose to betray each other.
In my mind this is exactly what happens to companies who are thinking about sharing intelligence on platforms such as CiSP. The “cost” of sharing cyber information for companies exists in a perception of reputational risk and giving competitors an advantage. The benefits of sharing information are stronger security and resilience.
However when it comes to making a choice, companies, like the hypothetical prisoners, feel a greater incentive not to share than to have a mutually beneficial arrangement. As a result all parties will likely end up being worse off.
Cyber security intelligence and vulnerability sharing brings in some additional complications that the prisoner’s dilemma lacks. Firstly, the costs of sharing and the benefits of sharing don’t happen concurrently in cyber. The costs happen immediately after the action of sharing whereas the benefits (increased resilience) are more long-term. Secondly, to be effective, it can’t be a one off, it has to be a continual process of cross organisational co-operation. Both factors end up reducing the probability of companies sharing information.
As humans we often give more weight to immediate costs than we do far-off benefits, however the sharing of cyber intelligence and information is key to making our country more secure. Firstly, it means we aren’t all forced to learn the same lessons for the first time. It also means we aren’t all reinventing the wheel. Attackers are less likely to encounter this problem as they openly share information with each other on forums.
In order to encourage companies to be more open we need to find a good way to reduce the immediate costs of sharing intelligence. Japan employs anonymous intelligence reporting so companies can share the information or vulnerabilities, but don’t face the fear of any reputational damage. The future benefits may then play a greater role in our decision making.
The UK Government has created CiSP (Cyber Security Information Sharing Partnership) as a platform for organisations to exchange cyber threat information in real time, in a secure, confidential and dynamic environment. It is free to use and has specific industry groups you can join for more targeted intelligence sharing. It is employed successfully by both large multinationals to small local companies. For more information visit www.ncsc.gov.uk/cisp.