Knowledge, insight and understanding require collaboration. Cyber security success or failure hinges on the ability of people, organisations and industry sectors to share information.
The challenge of information sharing is not new. The public and private sectors around the world have been pursuing ways to encourage and enhance information-sharing methods since the late 1990s. There is no silver bullet or product that you can buy. Successful information sharing requires trust, a solid policy framework and commitment from people who want to solve specific cyber security problems.
This is the context against which Singapore published its Cybersecurity Bill earlier this year. The country has over the past two years emerged as a cyber security policy powerhouse, with a clear interest not only in ensuring that cyber attacks do not undermine its status as a global hub for commerce, finance and transport, but also in ensuring that its regional partners adopt effective cyber security policies and approaches. The draft Bill, coupled with the public-private partnerships set in place by the Ministry of Communications and Information and the Cyber Security Agency of Singapore, is worth emulating in many aspects.
Singapore has rightly prioritised its efforts on the sectors most critical to national security and the economy - the critical information infrastructure (CII). This is important in the context of information sharing, or to be precise - mandatory incident reporting, as it is envisioned in the Bill.
Limiting the scope of mandatory reporting is the right thing to do because it focuses the efforts of the agencies involved, essential when having to operate in a cross-cutting environment with limited resources. Nevertheless, as it evolves the draft Bill, it will be critical that the Government clearly defines the objectives it wants to achieve with this obligation, in order to drive the kind of responses, coordination and actionable data that it wants.
Moreover, Singapore has recognised that information sharing is an essential tool for solving cyber security problems, not an activity that is an end in itself. The Government's primary role is to create avenues for information sharing, which typically works best when evolved from trusted relationships that emerge on a voluntary basis because of a particular need or problem.
Governments need not and should not be the interface for all information sharing, but set an example by doing it and enabling it. The partnership of the Monetary Authority of Singapore (MAS) with the global Financial Services Information Sharing and Analysis Centre (FS-ISAC) is a great example of just such an effort. A few weeks ago, the FS-ISAC Asia-Pacific Regional Analysis Centre's office and operations were launched, based out of Singapore and supporting 49 financial institutions across nine Asia-Pacific countries.
Another example of how governments can encourage information sharing is by providing protection for information shared. Singapore does that with this Bill, as it specifically protects information shared "in good faith" as part of CII owners' obligations, or during investigations, from liability. These and other similar protections, such as those that exempt cyber security information sharing from antitrust considerations, will prove essential in encouraging organisations of all types to share information with not only the Government, but also their peers and competitors.
Any policy on information sharing should take into account its international opportunities and implications. While information-sharing forums and processes do not need to follow a single structure or model, for both governments and businesses there will be genuine benefits to pursuing a harmonised approach - not just across national sectors but across borders. Established international standards such as STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information) might be particularly helpful when it comes to establishing automated information exchange, which can be faster and more efficient, particularly when large numbers of participants are involved. STIX and TAXII are community-driven, free-of-charge, technical specifications designed to enable automated information sharing for cyber security situational awareness, real-time network defence and sophisticated threat analysis. They are not information-sharing programmes in themselves, rather something equivalent to common languages, definitions and structures that organisations anywhere can use to exchange information about cyber threats.
Effective information sharing across public and private sectors, within CII and beyond, done for common purpose and for a common good, should be the new normal.
Singapore and other states will benefit from minimising the reach of mandatory reporting schemes and from encouraging all stakeholders to develop their own approaches and mechanisms. More complete information about cyber attacks can underpin more effective responses and more accurate trend analysis, which could allow cyber defenders to reduce their disadvantages. One example is the Microsoft Active Protections Program, which takes a collective, community-led approach to information sharing and response that has allowed speedier cyber security updates and improved cyber security outcomes for over a billion customers.
When it comes to cyber security, sharing information is perhaps the only way to reliably stem the growing tide of threats. Singapore's approach to information sharing is a significant step forward and is part of an important trend around the world. If trusted methods of information sharing can be built, ones that are broadly based, sector-led and underpinned by international best practices, then the fight against cyber attackers will have taken an important step forward and knowledge will have genuinely become power.
- The writer is Senior Director, Cyber Security Policy and Strategy, at American multinational technology company Microsoft.