Trust is a tricky thing. It’s hard to gain, easy to lose, and exceptionally difficult to win back. Following the Edward Snowden disclosures and ongoing wrangling in Congress and the courts about privacy, monitoring, and data collection, trust between the public and private sectors, especially in the IT and security space, has been in short supply.
It comes as no surprise then, that more than a few companies and individuals in the security industry have pushed back on government efforts to increase data sharing and collaboration around threat intelligence and cybersecurity. Collaboration relies on trust and, in the case of the government’s efforts to improve cybersecurity, we’re not just talking about malware signatures or new vulnerabilities. There is the potential for the exchange of proprietary information as well, the bread and butter for many security companies.
Challenges and concerns aside, though, the current threat landscape demands collaboration. Whether that takes the form of private efforts like the Cyber Threat Alliance or a Collaborative Research and Development Agreement (CRADA) like the one Fortinet announced today with the US Department of Homeland Security (DHS), real progress addressing cyber threats on a massive and global scale won’t happen in a vacuum.
It’s an easy knee jerk reaction to assume that sharing any information with our government may actually be detrimental to security. This isn’t just conspiracy theory nonsense - the Feds haven’t always been good stewards of our data and privacy. But clearly there’s a role for the federal government in combatting cybercrime and dealing with a host of security issues. These are issues of both national security and international finance, both areas in which the government has a critical interest.
However, this isn’t a time for jerking knees. The security threats we face are coming from all sides, from international actors, from rogue states, from well-organized networks of cybercriminals, and an increasingly sophisticated community of black hat hackers. This is the time to put reasonable, necessary public-private partnerships in place that can deal with these threats better than any organization can on its own.
Fortinet’s CRADA is a good example. As Derek Manky, global security strategist from Fortinet's FortiGuard Labs explained,
“Detecting and halting attacks is dependent on our ability to understand in real-time what threats are on the horizon and how they can impact our customers' network safety...Our new partnership with the DHS gives us access to a wealth of valuable information...across multiple vertical industries. This allows us to understand up-to-date threat information across federal, banking, energy/industrial, healthcare, enterprise and more, which will have a direct and positive impact on our customers' security and ability to operate their networks efficiently."
Like any good collaboration, the CRADA with DHS is a two-way street. Manky went on to note that:
"Our own deep knowledge of the threat landscape will feed back into the DHS cyber safety programs, bringing value to other businesses and government agencies...These relationships are common around the world, it's not just particular to the US government, but it’s worth noting that if a customer is attacked, we share indicators of compromise related to the attacker and not the victim since this can be tied to personally identifiable information."
Public-private partnerships get roads built, new fighter jets maintaining our air superiority, and new communication infrastructure that helps drive our economy. The right kinds of collaboration around cybersecurity can deliver real progress as we go up against a host of cybercriminals and terrorists who are currently winning a cyber arms race. If we want to not just catch up, but also get ahead of the bad guys, wherever and whoever they are, we’re going to need to do it together, even if that means rebuilding trust and pooling resources in ways that the hackers can’t.