Privacy laws should not deter threat sharing in APAC

SINGAPORE--Threat sharing is necessary in today's complex IT environment but should not be hindered by potential privacy issues from the rise in privacy and data protection laws in the region.

According to Kenneth Minihan, former director of the U.S. national security agency, one aspect of public-private collaboration among organizations to combat the increasing sophistication of cyberthreats is the sharing of threat information.

Speaking at GovernmentWare 2012 Conference and Exhibition here Tuesday, he explained in today's world of evolving new technology and complex cyberthreats such as Advanced Persistent Threats (APTs), the sharing of valuable threat intelligence is necessary, can give more insight to cyberthreats and enable organizations to develop more effective solutions against them.

Privacy implications and obstacles
Adopting this practice in the Asia-Pacific region could give rise to privacy implications, especially with many countries in the region beginning to adopt privacy and data protection laws, Ashar Aziz, founder and CEO of FireEye, told ZDNet Asia on the sidelines of the event.

Another security watcher, Eddie Schwartz, chief security officer of RSA also agreed, noting there may even be privacy advocacy groups protesting against threat sharing since it goes against data protection, which was why the cybersecurity bill had not been passed in the U.S.

However, both public and private organizations must not hold back the sharing of threat intelligence because of the rise of privacy laws and data protection, he advised.

"A company is an island if they are only looking at their own threat information because it narrows their view," Schwartz said. "They will have power over APTs if they work together and spot the 'bad things' over real-time intelligence."

What organizations must do is to strike a balance between sharing of threat information without violating citizen privacy, Aziz said.

For example, if an individual gets breached, organizations can leave out personal information such as the IP address of the person while understanding and sharing other "more valuable" aspects of the attack such as where it originated from and how the malware is like, Schwartz suggested.

At the government level, since each Asian country may have differing privacy and data protection laws, there could be one agency within each country which collates intelligence without including personal data or sensitive information so it will not lead to cross-border tensions and disagreements over what is considered privacy or not, Aziz added.

Organizations not proactive against APTs
That said, Masagos Zulkifli bin Masagos Mohamad, Singapore's senior minister of state, ministry of home affairs and foreign affairs, highlighted in his keynote that APTs are a key cyberthreat. They are able to continuously evade detection, circumvent counter measures and seek out new loopholes within computer systems, he noted.

Even though organizations have stepped up their cyberdefenses, cybercriminals are still not deterred from looking for new entry vectors, the minister noted.

Many of them are still focused on "traditional security" or complying with regulations because this is how most of them have been trained, Schwartz explained. Making security more "proactive" would also mean changing the way business is done and is "difficult" for most organizations, he pointed out.

The signature-based security systems used by many organizations are also designed to detect "known threat actors", or threats which can be detected easily through "pattern matching or recognizing bad Web sites", Aziz added.

They should also start to use systems only detect known attacks, but systems that are able to detect anomalies and go beyond the usual methods of picking up threats, because APTs are after all, unknown threat actors, he advised.

"In order to be more proactive, organizations should adopt the mentality that they have been 'breached on some level' and start repairing the damage, instead of waiting for something to happen before starting on security," Schwartz said.