The UK government’s cyber-security collaboration project, CISP, came under fire at RSA Europe today, with a panel of experts arguing that the intelligence-sharing concept at the heart of the scheme is significantly flawed.
The Cyber-security Information Sharing Partnership was launched by Cabinet Office Minister Francis Maude in March 2013, aiming to revolutionise the war on cybercrime. By bringing together the public and private sectors on a single project, the government believed critical intelligence could be pooled and made more accessible, helping the security industry mitigate threats more efficiently and law enforcement agencies track cyber-criminals with greater success.
But with market reputation and competitive advantages at stake, information sharing has log been been a contentious area of IT security, and this morning’s panel – which included a member of the CISP's own steering board in FireEye CTO Greg Day – said industry reaction to the project had been cold.
“When the UK government set up CISP, which was about industry members sharing with each other, the first discussion they all got to was about trust,” said Day.
“Everyone [in the industry] thought this is brilliant, we should do this, and then they turned around and asked who would be willing to share this data, and I’ve never seen so many hands go down so quickly. So they always wanted it (the intelligence) but no-one wanted to share it.”
This reaction typified security companies’ overall reluctance to share insight beyond small trusted circles, the panel unanimously agreed. As such, the very purpose of CISP appears somewhat defeated from the outset.
“It is to a degree a closed club,” Day said of the security sector. “But it’s a club based not on whether you work for company X, Y or Z. It’s based on whether you know this person and you trust him, and that if I give him live malware samples he isn’t going to do something bad with it.”
And Day admitted that trust these issues had indeed hampered the scheme’s progress. “When we started down the CISP route there was some frustration in certain departments,” he said, adding that when project members reached out to organisations, they were greeted with an attitude of, “So what? What do you expect me to do about it?’”
The government’s cyber-security schemes have faced scepticism from other quarters of the industry, as Corero Network Security CEO Ashley Stephenson told ITProPortal he was also unconvinced by CISP in a recent interview.
Make sure you stay abreast of all our RSA Europe coverage via our live page for the event.