The Cyber Threat Alliance (CTA)‘s President and CEO, Michael Daniel, member of the Common Good Cyber Ecosystem Committee, discusses challenges in sharing threat intelligence, CTA’s milestones as an outstanding convener, the importance of measuring impact, and views on funding for under-resourced organizations to ensure sustainability.
CTA brings together cybersecurity companies to share threat intelligence. What makes this kind of collaboration both necessary and difficult in today’s threat landscape?
To counter physical threats, people try to know as much as they can about them. Where do they originate from? What are malicious actors trying to do and what tactics will they use? What’s the context for the threats? The same holds true for cyber threats – we need to know as much as possible to combat them effectively. However, no single organization has all the necessary information to counter these online threats. Cyber defenders have to collaborate and share threat intelligence with other organizations if they want to have any chance at stopping cyber threats. That’s where CTA comes in – we provide a structured, protected, sustainable way for cybersecurity providers to share cyber threat intelligence with each other. In our case, we focus on organizations providing cybersecurity services to others. If these organizations can provide better cybersecurity to their customers, then the entire ecosystem benefits.
At the same time, this kind of collaboration can often prove challenging. Cybersecurity companies are often worried that sharing will somehow compromise their competitive edge. They have limited resources to apply to the problem. Sharing threat intelligence is another “thing” on the to-do list and rarely is someone’s primary job. Threat intelligence sharing requires dedication, resources, and commitment over time, which inevitably competes with other demands. Despite its necessity, information sharing remains a difficult challenge.
How do you measure impact when success often means what didn’t happen?
CTA has three missions: enabling member companies to better protect their customers, supporting the disruption of malicious cyber activity, and raising the level of cybersecurity across the digital ecosystem. Identifying outcome measures to assess our impact against these goals is very hard, since they are inherently difficult to measure. Therefore, CTA has an ongoing project to identify metrics that could assess cybersecurity at the national level. We want to move beyond anecdotes and develop concrete measures. For example, if the percentage of exploited vulnerabilities more than a year old decreases over time, that could indicate that defenders are doing a better job patching systems, updating software, and retiring legacy systems. Ultimately, if CTA could tie its programs to a few of these metrics, then we will have achieved a major milestone.
However, in the interim, we have some proxy measures to gauge our impact. First and foremost is membership retention. Since our members are for-profit companies, if they did not find value in CTA, they would not stay in the Alliance. Second, we track our social media followers, attendance at our virtual and physical events, and how often we are cited in the news articles. Third, we look for CTA’s influence and thought leadership in threat intelligence sharing and cybersecurity policy.
Many nonprofits and small organizations aren’t part of traditional threat intel ecosystems. How is CTA working to make threat intelligence more inclusive and accessible to them?
The cybersecurity industry does not produce threat intelligence geared towards nonprofits and small organizations. It tends to limit threat intelligence to highly technical data that most organizations, even large for-profit ones, do not have the capability to consume or produce. We should not expect most organizations to develop the capability to produce and consume technical threat intelligence. It’s not economically rational, nor practical, as evidenced by 25 years of efforts to increase intelligence sharing. Instead, CTA supports a different approach to threat intelligence.
First, we expand the definition of cyber threat intelligence to include a much wider array of information, such as tactical warnings (‘this malicious actor is targeting you right now’) that include recommendations to update the firmware on specific devices. Second, we believe threat intelligence providers should focus on the decisions that nonprofits and small organizations need to make and then tailor threat intelligence to those decisions. For example, do they need to change a password or update a device? If so, then the threat intelligence should just say that: answer the relevant questions directly and not necessarily include all the reasons why. Further, information should be provided in a way that a non-expert can act on it. Third, we should stop expecting most organizations to become technically sophisticated when it comes to threat intelligence. Instead, we should expect technically sophisticated companies, especially cybersecurity companies, to share technical threat intelligence with each other and then use that increased knowledge to protect others. Under this approach to threat intelligence, CTA would serve as a force multiplier, enabling other information sharing organizations to focus on the information their members need and can consume, rather than trying to get everyone to produce and consume technical threat intelligence.
How do you maintain trust and cooperation among member companies who might otherwise be competitors?
We work hard at maintaining trust and cooperation. These elements are not byproducts of our work; rather, we actively take steps to support trust and cooperation every day. At a fundamental level, our bylaws and operating guidelines establish guardrails. For example, we do not discuss competitively sensitive information, such as product designs, prices, or custom information in CTA channels, and we remind everyone of this fact by reading an anti-trust compliance statement at the start of every meeting. We also emphasize that the purpose of sharing threat intelligence is to use it, so members should expect that other members will use the shared technical threat intelligence in their products and services. CTA staff maintain a scrupulous neutrality among our members. We respond quickly if a member expresses concern about the actions of another member. At the end of the day, it is about creating a culture that reinforces trust and cooperation and then supporting that culture with both formal and informal rules.
What would be lost if CTA disappeared tomorrow and how do you ensure its long-term sustainability as a nonprofit?
If CTA disappeared, then the cybersecurity industry would lose its primary sharing organization; no other ISAC has cybersecurity companies as primary members. Without CTA the “friction” or transaction cost of sharing information between cybersecurity companies would increase. The cybersecurity industry would also lose a voice in the policy process.
As a membership association, our primary revenue comes from annual membership fees. As long as we continue to provide a valuable service to our members, then we can ensure CTA’s long-term sustainability. The key is to constantly adapt to our members’ changing needs and to make sure that we enable the highest quality threat intelligence sharing experience we can. Another part of our strategy is to expand our membership base by expanding the types of information we can share and increasing the diversity of company types that can be members.
You have been leading Common Good Cyber, what can the initiative do for CTA’s mission?
While CTA focuses on threat intelligence sharing among for-profit cybersecurity companies, ultimately, we want to make cyberspace safer for everyone. Nonprofits carry out some key cybersecurity functions and protect entities that cannot otherwise afford cybersecurity services, which means that making cyberspace safer requires a robust nonprofit sector. Therefore, when the Common Good Cyber initiative succeeds, then the entire ecosystem benefits – including CTA and its member companies.
