CHAPTER 20: SHARING INFORMATION

‘It is abundantly clear to anyone working in cyber security that no-one has anything like complete visibility of the problem. Cyberspace is simply too vast for any organisation – public or private sector – to have sight on everything that’s going on.’²⁴ – Francis Maude

The importance of incident-related information cannot be underestimated in organising cyber security activities and handling cyber incidents. Relevant and correct information that is sent and received in time can often have a deciding role in preventing cyber security incidents and protecting against cyber attacks.

When a network of people dealing with cyber security has been established in a country, it has taken the first step towards a working information exchange. As we said in the previous chapter, having reliable relations in this network is important, as is knowing the right people and having their contact details.

It is necessary to agree on the principles of information exchange, which must cover the kind of information that is communicated as well as when, to whom and how. In countries that have established CERTS, it is usual for the CERTs to send information about the vulnerabilities they have detected to their communities and give advice on how to act securely. CERTs have become information exchange centres in many countries.

For example, when a critical infrastructure service provider suffers a cyber attack, they should send information about it to the country’s CERT. Depending on the type of the attack, the CERT helps the critical infrastructure service provider if necessary, sends information about the attack in an anonymised format to those that could be attacked in a similar manner, and recommends how to prepare for the cyber attack and what to do if they are attacked.

Some countries have also established sector-specific units that deal with cyber security. They may be called the sector’s CERTs or given different names. The principle should stay the same – the critical infrastructure service providers that should benefit from the information should also receive it.

Cyber attackers exchange information very well. They have no obstacles in sharing information – no state borders or legal restrictions. Reaching a rapid, coordinated and reliable level of information exchange often takes public authorities and countries a long time.

Attention should also be given to marking information when it is communicated. Using the traffic light protocol is common when information about protecting critical infrastructure is shared. Marking the created document in red, yellow, green or white tells the people who handle the documents how to act with the relevant information.

Information is often classified as a state secret of some level, which becomes an obstacle to its communication. Even if a critical infrastructure service provider needs information about possible cyber attacks, it may not get it. A public authority does not communicate the relevant information because the employee of the critical infrastructure service provider who should receive the relevant information does not have a permit for accessing state secrets or the permit’s level is not high enough. This is where countries need to find suitable solutions, either by lowering the security class of the specific documents, or the critical infrastructure service provider employees who deal with security issues need to apply for the necessary permits.

To guarantee cyber security, it is necessary to exchange information inside the sector, between sectors, inside a country and between countries.

Lesson 20: Share information and be a part of networks where information is shared.