Cyber Attacks are to be made public ?

The Lockheed Martin F-35 program made unwanted headlines in the U.K. last month after The Sunday Times revealed that BAE Systems’ portion of the project had been subject to significant data theft. Sources told the newspaper that the network intrusion began in 2009 and had gone undetected for around 18 months.

Industrial espionage, particularly on military projects, is a hallmark of the Advanced Persistent Threat (APT) , the epidemic of intrusions first detected in the mid-2000s and widely attributed to China.

The impact of APT successes, when they are disclosed, highlights a problem almost as troubling as the theft of data itself.

Investors and customers may lose confidence in a company that declares a significant data breach, yet it is only by sharing information about such breaches that long and complex supply chains can be protected. 

To a surprising degree, informal information-sharing networks are sprouting up around the western defense industry to disseminate cyberattack data in near-real time, across borders and even between competing businesses. Whether by email threads, telephone conversations, physical meetings or other means, individuals are alerting one another to new threat vectors and sharing intelligence on system-penetration attempts.

“Information-sharing is there, but it’s not being done in public forums,” says Don Smith, technology director of Dell Secure Works. “It is fairly effective, but it’s just not visibly effective if you’re not part of the community that’s sharing the information. That parallels what goes on in the mainstream security world, where organizations that you might normally view as competitors are furiously sharing information behind the scenes about the capabilities and tactics of the adversary.”

Governments have been wrestling with the conundrum. Last year, Australia’s Information Commissioner called for the country’s Privacy Act to be amended to make data breach notification compulsory. Many U.S. states followed California’s 2003 lead and now require companies to notify customers when personal data are compromised. The U.K. government’s Cyber Security Strategy, published last November, stresses the importance of information-sharing without recommending legislation, though one trade body -Intellect, which represents more than 750 companies in the information-technology sector – has suggested mandating information-sharing.

Yet there seems little appetite for legislation in the U.K. or U.S. Instead, some formalization of existing ad-hoc structures may be the best defense against attacks such as that suffered by BAE. Earlier this year Intellect and the larger aerospace and defense trade association ADS Group set up an experimental information-sharing program they call the Virtual Task Force. Next month, the British government is due to announce the results of a pilot phase of its own similar scheme, designated a “cybersecurity hub,” run under the auspices of signals intelligence agency GCHQ, and involving participants from five business sectors—defense, energy, pharmaceuticals, telecommunications and finance.

“The point [of the Virtual Task Force] is to involve companies at boardroom level, as well as getting their technical people together to analyze attacks and discuss the solutions they find,” says Julian Fraser, director of classified-information disposal service Data Eliminate, and a committee member of ADS’s Cyber Protection and Assurance Group. “People want to collaborate on these things but don’t necessarily want to share that someone’s been under the hood of their computer system without them knowing about it. The challenge is to get these people to cooperate, and for them to feel comfortable about doing so.”

Internal issues are equally important: security will not improve if only the CEO and the information technology department know about the threat. The BAE F-35 breach and a similar hack on Lockheed Martin and RSA, its digital security supplier, relied on “spear-phishing” attacks, where an individual employee was tricked into opening an email that went on to infect and compromise the network.

“The problem exists between the keyboard and the chair,” says Smith. “The initial trigger is duping an enduser, and that mechanism remains a highly successful method of penetrating organizations that have multilayered security controls.”

“If you were to start with [educating] lower-down employees in large organizations, and you get them to appreciate the importance of information security like they appreciate the importance of green issues, then they are going to start to demand better practices of their employers,” says Fraser.

From Aviation Week – April 2012