1、Cyber Information Sharing: Building Collective Security I N S I G H T R E P O R T O C T O B E R 2 0 2 0 Contents Cover: Unsplash/Markus Spiske Inside: Unsplash/Adi Goldstein; Unsplash/Taylor Vick; Unspash/Christopher Burns; Unsplash/Uriel Sc; Unsplash/Fabio; Unsplash/Joshua Sortino; Unsplash/Zhang K

2、enny; Unsplas/Shahadat Rahman; Unsplash/Tetrebbien; Unsplash/Patrick Linderberg; Getty image/simpson33; ; Unsplash/Alina Grubnyak; Getty image/Orbon Alija 2020 World Economic Forum. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, includi

3、ng photocopying and recording, or by any information storage and retrieval system. 3 1 Executive Summary 5 2 Cyber information sharing: what is it and why does it matter? 6 2.1 Cyber information sharing as a platform for collective resilience 7 2.2 Cyber information sharing as a platform for collect

4、ive action 9 3 Why does this matter now? 11 4 Seven barriers that need to be overcome 14 5 Information sharing 2.0: how nextgeneration technology can help 15 5.1 AI and ML 16 5.2 Privacy Enhancing Technologies 16 5.3 Encrypted computation 17 5.4 Differential privacy 18 6 CDA case study: using PET to

5、 drive collective action in the cybercrime ecosystem 19 6.1 The pilot: secure and confidential querying 20 6.2 Results 21 CONCORDIA: an ecosystem for collaboration 23 Recommendations 24 Contributors 25 Endnotes Cyber Information Sharing: Building Collective Security2 Executive Summary 1 Information

6、sharing is critical for empowering the global ecosystem to move from individual to collective cyber resilience. Cyber Information Sharing: Building Collective Security3 Intelligence sharing between stakeholders is a defining feature of the cybersecurity community and one of its most important shared

7、 challenges. Cybersecurity is one of the most systemically important issues facing the world today. In little over a decade, cybersecurity has been transformed from a primarily technical domain centred on securing networks and technology to a major strategic topic of global importance. Cybersecurity

8、 is a pillar of a digitally resilient society. It is essential for assuring the integrity of the interconnected business and social processes that sit on top of modern societies complex digital ecosystems. Its growing importance as an issue has been tracked by the World Economic Forum Global Risk re

9、port and now the potential impact of cyberattacks is consistently ranked as one of the biggest risks facing the global economy today.1 Since its relatively recent emergence the cybersecurity ecosystem has faced several challenges as it has worked to mature the isolated cybersecurity activities of ac

10、tors throughout society into a cohesive ecosystem, which allows itself to be accountable to all parts of society. It has had to overcome these shared challenges in a fluid environment. The COVID19 pandemic has led to rapid digital transformation in many workforces and sectors, further increasing the

11、 dependency of our global economy on digital infrastructure. This has exacerbated cybersecurity challenges that existed before, but also demonstrated to all stakeholders the need and incentive to address some of our most important shared challenges. Intelligence sharing between stakeholders is a def

12、ining feature of the cybersecurity community and one of its most important shared challenges. No stakeholder alone can sustainably identify and address all the cyber threats of the fastchanging digital landscape. Trusted, secure and scalable cyber information sharing needs to be a foundational platf

13、orm on which all participants of the digital ecosystem can rely. Information sharing enables enterprises to defend themselves, enhance resilience and conduct collaborative investigations to detect and deter threat actors. It enables building trust. Barriers, however, remain in the ecosystem, includi

14、ng issues such as gaps in jurisdictional collaboration, in addition to crosssector collaboration, lacking access to skills, strategy and resources, and concerns over trust and privacy. These barriers need to be addressed to promote greater resilience. New technology, among other interventions, promi

15、ses to overcome these barriers. Artificial intelligence (AI) and machine learning (ML) technologies are enhancing the effectiveness and value of sharing data, and privacyenhancing technologies are enabling the sharing of information while protecting privacy and security. Combined, these technologies

16、 can dramatically expand, automate and improve organizations ability to protect themselves from cyberthreats. Ultimately information sharing is an enabler of the strategic driver of the global cybersecurity community; the need to move from individual resilience to collective resilience. The World Ec

17、onomic Forums Global Future Council on the Future of Cybersecurity, during its 20192020 term, focused on the nature of these barriers and challenges in the security community as well as possible new solutions. This document reflects the insights generated by this group among Council Members in addit

18、ion to the Centre for Cybersecuritys extended community, including the World Economic Forums Technology Pioneers. Cyber Information Sharing: Building Collective Security4 Cyber information sharing: what is it and why does it matter? 2 No single organization has visibility over the entire problem spa

19、ce, making collaboration and information sharing essential. Cyber Information Sharing: Building Collective Security5 Knowledge is power. Intelligence, carefully curated from the collection, evaluation and assessment of data from many sources is fundamental to understanding the complex and dynamic th

20、reats that exist in the information age. Once only the preserve of government departments and military agencies, intelligence now helps businesses and global institutions make better, datadriven decisions. It gives them the edge in formulating new plans and strategies to manage risk, and to perform

21、efficiently and effectively. Such is the scale and complexity of the challenge, cyberthreats and risks must be understood in detail if organizations want to prevent breaches and prosper in the age Fourth Industrial revolution. Cybersecurity is defined by its multistakeholder ecosystem and needs to b

22、e seen from a holistic viewpoint. All participants in that ecosystem need to be able to participate in building the systemic resilience of the collective infrastructure on which those stakeholders rely. The scale of the cybersecurity challenge facing global institutions requires a mindset shift from

23、 traditional models for managing business and security risks. It is no longer feasible to rely on ones own capabilities; instead a step change will be essential to the future of business resilience. No single organization has visibility over the entire problem space, making collaboration and informa

24、tion sharing essential. Information sharing and having the ability to use it helps build resilience and drives collective action. It is one of the most fundamental tools that an enterprise or organization has to protect itself. This, however, must be the right type of information sharing to solve th

25、e complex problems. Each security community is different and must define the fundamental insights required to protect itself, be this technical information or insights into strategic behaviours or trends. The ability to share the right insights at the right time in a systematic way with the right st

26、akeholders will allow for the effective protection of assets, intellectual property and business processes. Eight things enterprises need to be in a position to share 2.1 BOX There is no onesizefitsall approach to cyber information sharing. Informationsharing arrangements between entities have to be

27、 informed by factors that take into account sector risks, as well as whether that ecosystem has sufficiently strong governance to be able to do so. Differing risks might include the nature of the cyberthreat and if the ecosystem contains sensitive or private data (such as PII, or commercially sensit

28、ive information). 1. Observable: What activity are we seeing? 2. Incident: Where has this threat been seen? 3. Exploit target: What weaknesses does this threat exploit? 4. Threat actor: Who is responsible for this threat? 5. Indicators: What threats should I look for on my network and systems, and w

29、hy? 6. Procedures: What does it do? 7. Campaign: Why does it do this? 8. Course of action: What can I do about it? 2 Cyber information sharing as a platform for collective resilience Cyber information sharing is the ability of an ecosystem to be able to share at scale intelligence with many differen

30、t stakeholders to generate the right level of situational awareness for organizations to defend themselves. By doing this the ecosystem can answer what has been, and what can be done about malicious activity. Organizations need to be able to do this in three key domains: 1. Strategic: Information th

31、at can help enterprises understand the type of threat they are defending against, the motivation and capability of the threat and the potential consequences and risks of attacks. 2. Operational: Information that can help enterprises decisionmaking, resource allocation and task prioritization. It inc

32、ludes trend analysis showing the technical direction of threat actors and an understanding of malicious tactics, techniques and procedures. 3. Technical: Information from technical data, sources and systems that provide insights that can influence tactical decisions. This data is typically derived f

33、rom near realtime monitoring and sharing of network information required for adjusting an organizations security.3 Cyber Information Sharing: Building Collective Security6 FSISAC: A financial industry consortium dedicated to reducing cyber risk in the global financial system. Serving financial insti

34、tutions, the organization leverages its intelligence platform, resiliency resources and a trusted peertopeer network of experts to anticipate, mitigate and respond to cyberthreats. Cyber Threat Alliance (CTA): The CTA is a notforprofit organization that is working to improve the cybersecurity of our

35、 global digital ecosystem by enabling near real time, highquality cyberthreat information sharing among companies and organizations in the cybersecurity field. CiviCERT: A network of Computer Emergency Response Teams (CERTs), Rapid Response Teams and independent Internet Content and Service Provider

36、s who facilitate collaboration, share information to alert emerging digital security threats to civil society and foster digital security help desks to improve protection for civil society members and organizations. MMISAC: This is a mining sector nonprofit, industry owned and open to all companies

37、in the mining and metals industry. It allows member companies to share critical cybersecurity information through secure channels, enabling them to benefit from this intelligence at a reasonable cost. Telecommunication Information Sharing and Analysis Centre (TISAC): The GSMA developed the TISAC to

38、act as the sectorspecific ISAC for the mobile telecommunications industry. The centre provides a place where security issues from the mobile industry can be raised, managed and discussed in a trusted environment among all GSMA members. Information-sharing groups that are developing better cyber resi

39、lience BOX Cyber information sharing as a platform for collective action Cyber information sharing can also drive collective investigations and action between the public and private sectors. Cybercrime cannot be addressed without creating a more effective deterrence model by confronting the source o

40、f cybercriminal activity, reducing the return on investment and making the risk of prosecution real. Conventional criminal justice efforts are failing to limit the risks of engaging in malicious online activity. In the US, the likelihood of successfully prosecuting a cybercrime is estimated at 0.05%

41、, far below the 46% rate of prosecution for violent crime.4 The most successful information sharing models that are emerging in the global community and which can detect and disrupt cybercrime are between law enforcement and the private sector. Unlike traditional crime, the skills, data and capabili

42、ties to detect and disrupt cybercrime often reside within the private sector. More are required, but these emerging models have been difficult to scale up. Sharing information between parties is fraught with potential privacy, security and due process concerns, as well as the challenge of ensuring p

43、rotections for the right to free expression, association and political participation. Incentive models remain nascent, as groups try to understand who bears the cost and responsibility for driving collective action. 2.2 Cyber Information Sharing: Building Collective Security7 European Cybercrime Cen

44、tre (EC3): Europol set up the EC3 in 2013 to strengthen the law enforcement response to cybercrime in close collaboration with the private sector. EC3 has made a significant contribution to the fight against cybercrime: it has been involved in tens of highprofile operations and hundreds of onthespot

45、 operational deployments resulting in hundreds of arrests.5 The National CyberForensics and Training Alliance () was established in 2002 as a nonprofit partnership between private industry, government and academia, with the purpose of providing a neutral trusted environment that enables twoway colla

46、boration. To date, the NCFTA has enabled its community to prevent more than one billion dollars in potential losses, identify critical threats and tackled more than 2,500 law enforcement cases. Microsoft Digital Crime Unit (DCU): The DCU is an international team of attorneys, investigators, data sci

47、entists, engineers, analysts and business professionals based in 30 countries, working together to fight digital crime. Since 2010, the DCU has collaborated with law enforcement and other partners on 22 malware disruptions, resulting in more than 500 million devices rescued from cybercriminals. Cybe

48、r Defence Alliance (CDA): The CDA, with its headquarters in London, is a cyber defence and antifraud group consortium of financial institutions originally founded by Barclays, Santander, Standard Chartered and Deutsche Bank in 2015. The CDA works with member organizations and law enforcement agencie

49、s in a colocated space to share information and turn it into actionable intelligence to prevent malicious activity and identify threat actors for criminal investigation. Public-private information-sharing groups developing collaborative investigations and collective action BOX Cyber Information Sharing: Building Collective Security8 Why does this matter now? 3 The Fourth Industrial Revolution demands the digitization of business and commerce. That digitization needs to be safe and secure. Cyber Information Sharing: Building Collective Security9 The