Professional Documents
Culture Documents
Contents
3 1 Executive Summary
18 6 CDA case study: using PET to drive collective action in the cybercrime ecosystem
19 6.1 The pilot: secure and confidential querying
20 6.2 Results
23 Recommendations
24 Contributors
25 Endnotes
Cyber information sharing is the ability of an 2. Operational: Information that can help
ecosystem to be able to share at scale intelligence enterprises’ decision‑making, resource
with many different stakeholders to generate the allocation and task prioritization. It includes
right level of situational awareness for organizations trend analysis showing the technical direction of
to defend themselves. By doing this the ecosystem threat actors and an understanding of malicious
can answer what has been, and what can be done tactics, techniques and procedures.
about malicious activity. Organizations need to be
able to do this in three key domains: 3. Technical: Information from technical data,
sources and systems that provide insights that
1. Strategic: Information that can help can influence tactical decisions. This data is
enterprises understand the type of threat typically derived from near real‑time monitoring
they are defending against, the motivation and sharing of network information required for
and capability of the threat and the potential adjusting an organizations security.3
consequences and risks of attacks.
Cyber information sharing can also drive collective and which can detect and disrupt cybercrime
investigations and action between the public and are between law enforcement and the private
private sectors. Cybercrime cannot be addressed sector. Unlike traditional crime, the skills, data and
without creating a more effective deterrence model capabilities to detect and disrupt cybercrime often
by confronting the source of cybercriminal activity, reside within the private sector.
reducing the return on investment and making the
risk of prosecution real. More are required, but these emerging models
have been difficult to scale up. Sharing information
Conventional criminal justice efforts are failing between parties is fraught with potential privacy,
to limit the risks of engaging in malicious online security and due process concerns, as well as
activity. In the US, the likelihood of successfully the challenge of ensuring protections for the
prosecuting a cybercrime is estimated at 0.05%, right to free expression, association and political
far below the 46% rate of prosecution for violent participation. Incentive models remain nascent, as
crime.4 The most successful information sharing groups try to understand who bears the cost and
models that are emerging in the global community responsibility for driving collective action.
1. Digital transformation, fast development of The digital ecosystem is not standing still. The
technology and COVID‑19 most important technologies of the near future
will alter the security landscape in a series of
The digital technologies on which new value is major shifts and not just incremental changes.
dependent are what have driven the increasing New technologies will change what needs to
importance and focus on cybersecurity as be defended and how attackers are targeting
a strategic issue. A major risk to the global it. This will be a major challenge to current
economy is that cybersecurity issues act as a information sharing operational and governance
strategic barrier to trade and that a widening models as they are currently designed. If action
digital attack surface becomes increasingly is not taken to incentivize a new information
complex to defend effectively. The effects of sharing paradigm the community might not have
the pandemic have made it all the more urgent sufficient capabilities to deliver the resilience and
to address this. Large‑scale, rapid and largely assurance the world is demanding.
unplanned digitization throughout sectors
and industries has transformed the global For example, adversarial use of AI has the
reliance on digital infrastructure and its integrity. potential to accelerate the scale and impact
Cybersecurity in the wake of the pandemic of current cyber defence approaches, but
was cited as the third major risk identified by probabilistic and machine learning information
global executives after the risk of a prolonged sharing for network defence is still in a nascent
recession and the expectation of bankruptcy.6 form, and not consistently built into industry
frameworks and operating models. As these
Critically, COVID‑19 has the potential to AI‑based information sharing and network
exacerbate the gulf between the cyber haves defence systems begin to be more widely
and have nots. The most well‑resourced and implemented they will have to overcome similar
cyber‑mature institutions are now potentially at challenges to those faced by social media
odds with those rapidly digitizing in the least and technology providers in their attempts at
mature markets and sectors, and who are AI‑based content moderation.7
also potentially impacted by major market and
financial pressures. 5G has the potential to connect “Everything
and Everyone” including entirely new industries,
use cases and billions of devices that the
security community will also need to protect.8
Cross‑jurisdictional and cross‑sector information
sharing will be required on a far greater
scale and at a pace and complexity than the
community is currently underprepared for,
especially given the fact that in this new data
paradigm the ability to share and act on insights
will be of paramount importance.
BOX Seven key challenges the global security community needs to address
1. Gaps in jurisdictions and cross‑sector associated with threat intelligence, which was
collaboration the fourth‑highest technical skill gap listed
Even where there is relative maturity in sectors after security architecture, forensics and
for information sharing, trust and barriers to penetration testing.13
collaboration remain between regions. Many
3. Trust and privacy
information‑sharing groups have emerged
from, or are associated with, national legislative There is a lack of trust between key players
or regulatory authorities. Consequently, at operational and governmental levels, which
specific jurisdictions might be absent from needs to be developed to facilitate information
some information‑sharing groups due to wider sharing. Geopolitical drivers and fragmentation
considerations. This is the case where there are in international co‑operation can affect
restrictions on jurisdictions collaborating. public‑sector enthusiasm for data exchange
programmes. The private sector is often
The greatest progress on promoting reluctant to share information with governments
cyber‑information sharing has emerged for fear of regulatory impact, to avoid complicity
out of the most cyber‑mature sectors in any privacy and rights violations and
and countries, in particular the US and because they often see no benefit to doing
European Financial Services (FS‑ISAC) and in so. Cross‑sector information sharing is further
frameworks, such as provided by NIST.9 In hampered by fears about giving competitors an
less developed markets and sectors, however, advantage, as well as concerns about sharing
greater progress is needed. For example, in sensitive internal data.
Africa, just eight countries have a national
strategy on cybersecurity and only 13 have a Free cross‑border information sharing is
Government‑Computer Emergency Response additionally complicated by the possible threats
Team, which typically act as vehicles for to human rights protections when information
establishing national information sharing is shared with states that have a weak rule of
programmes.10 Cross‑sector collaboration as law and or a history of systemically violating
an issue was specifically part of US President human rights.14 The lack of sector‑specific
Barack Obama’s Executive Order 1369, which guidance tools, which map pre‑existing
looked to establish new Information Sharing privacy principals, responsibilities, harms and
and Analysis Organizations (ISAOs) as a way remedies to the creation and management of
of promoting more sectorial collaboration.11 cross‑sector information sharing has caused
uncertainty. This in turn, delays efforts to build
2. Skills and capabilities cross‑sectoral programmes.15
The cybersecurity skills gap is well
4. Legislation, policy and data fragmentation
documented.12 This pressure on resources
significantly affects organizations’ ability to be There is a current lack of alignment and
able to build and deploy the requisite advanced harmonization across jurisdictions – and in
skills and capabilities to facilitate information many cases conflicting regulations in relation
sharing and make use of it themselves. Threat to the sharing of cyber information – especially
intelligence as a specialized sub‑discipline of with regard to concerns over the disclosure
this cybersecurity skills market is particularly of what could be considered as sensitive
affected, given the skills and experience required proprietary information by an organization.
to fulfil the role. More dramatically the trend towards data
localization – where governments mandate that
In the 2020 UK Government Cybersecurity data on their citizens or residents can only be
skills report, threat intelligence was listed stored within their country, and‑or meet local
as one of the most sought‑after technical privacy and security mandates before being
skills. Nearly one‑fifth of all businesses that transferred externally, can frustrate, or outright
responded stated they had a skills gap forbid, the fluid sharing of certain information.
5.1 AI and ML
AI and ML are potentially transformative for Language Processing (NLP). This will make vast
cybersecurity and the information‑sharing amounts of previously unusable data available
landscape. It dramatically expands the amount of for sharing and analysis.
data available to security teams and researchers
at the same time as automating and scaling up the 2. Reliable algorithms – With clean data, comes
analytical and defence capabilities of organizations. the ability to generate reliable algorithms.
Deep learning in particular has led to the
An important first step towards facilitating the development of algorithms with remarkable
information‑sharing process and being able to accuracy levels. These means enterprises have
operationalize the data is having standardized higher detection rates with less false positives,
formats and shared, interoperable platforms. These which makes them more likely to be able to put
are, however, primarily designed to facilitate the into production and enhance organizations’
sharing of highly technical data such as indicators defensive postures. These advances have
of compromise (IoCs), which are generally low‑level, made AI systems accurate enough for many
structured data. This definition needs to be corporate defensive systems (where risks
expanded to include everything from unstructured around false positives may not lead to liability).
raw data (e.g. network flows) to unstructured insights But far greater precision may be required for
(e.g. Tactics, Techniques and Procedures (TTPs)). AI systems that collect and share information
as false positives in those systems that could
Many attacks are diagnosed through the manual lead to inappropriate sharing of personal and or
analysis of highly technical data, which is proprietary information.
fundamentally not scalable. More importantly, these
analytical skills are highly sought after, expensive 3. Explainable AI – With clean data and reliable
and generally not available to the vast majority algorithms, enterprises can start to put
of enterprises. Consequently, there is an urgent appropriate governance and standard operating
need to incentivize tools to automatically extract procedures in place. The security community
meaningful cybersecurity insights from such data has been able to make strides in the field of
without human intervention. interpretable AI, which aims to design models
that produce outputs and explanations for
AI and ML have been immensely successful in outputs. Defenders are now able to understand
extracting insights from big data in other domains. and explain the rationale of any automated
Historically obstacles to the deployment of AI/ML decision‑making in the models and systems,
are rapidly being overcome by the cybersecurity including for full accountability and audit.
community and their technical efforts are centred on Addressing many current and future legislative
three key pillars of capability: challenges related to information sharing will
require that all decisions made by AI‑based
1. Clean data – Data is now produced in more systems will need to be explainable. AI systems
shared standards than ever before. Enterprises used in information collection, sharing and use
that have enough relevant attack data can now that cannot provide satisfactory answers to legal
train reliable defensive models, especially if that questions posed against them will likely become
data is labelled, indexed and of high quality. AI barriers to information sharing.
can help by cleaning up previously unstructured
data using the latest techniques in Natural
PETs are another set of emerging technologies jurisdictions or silos within their own organization as
that have the potential to alter the cybersecurity well as with work collaboratively using sensitive data
and information‑sharing landscape. PETs can give with third‑parties opens the door to a number of
assurances to senior leaders that the benefits business use cases that are currently restricted or
of data sharing can be realized at the same prevented by regulatory and legal barriers.
time as adhering to data protection and privacy
requirements as well as managing corporate risk by As outlined in the World Economic Forum’s
“enabling the analysis and the sharing of insights whitepaper on PETs – there are two important
without requiring the sharing of the underlying data categories of techniques that can underpin next
itself”. 19 These technologies will be essential for the generation information‑sharing programmes.20
future of information sharing because overcoming
lacking trust or legal mandates will demand that 1. Encrypted computation: a suite of algorithms
systems have safeguards in place to protect that enable parties (particularly in low‑trust
against malicious attempts to access and/or derive environments) to compute queries on each
sensitive data from within them. other’s data without ever learning the other
party’s data, including federated analysis,
Specifically, this could be transformative for homomorphic encryption, zero‑knowledge
enabling joint investigations between the public proofs and secure, multiparty computation.
and private sectors, which can drive collective
action. These technologies could be used to identify 2. Differential privacy: can be used to limit
potential data and investigative opportunities in the amount of private information leaked by
different organizations and jurisdictions with high the results of these queries, shared data or
levels of assurance and integrity without sharing models by adding noise to a data set so that
the data with each other directly. For private it is impossible to reverse engineer the
companies, the ability to secure shared data across individual outputs.
The ability to make analytic computations over standards and there are open consortiums that are
data that is already encrypted could represent a working together to ensure global interoperability
transformative shift for organizations looking to and accessibility of the technology.21
collaborate with a wider ecosystem of partners
while maintaining complete confidentiality, security HE alleviates the need for a trusted third party by
and managing associated risks. also enabling the encryption of analytics as well.
Protecting the privacy of sensitive data, analytics and
Data has three basic states: at‑rest, in‑transit AI models, this opens up new ways in which multiple
and in‑use. Organizations that handle sensitive or parties can collaborate to glean deeper insights while
confidential data typically protect the privacy and overcoming trust and security challenges.
confidentiality of their data by encryption.
Organizations that are pioneering this technology for
Traditionally, encryption is used to protect data information sharing are now seeing these benefits:
when it is at‑rest or when the data is in‑transit.
Whenever data needs, however, to be processed, – Secure and federated data analysis:
analysed, manipulated or used in any way, the organizations can have their encrypted data
data needs to be decrypted – leaving the data analysed by AI and analysts without revealing
vulnerable, particularly when shared and analysed the underlying data
by third parties.
– Secure data linkage: multiple organizations
Algorithms such as Homomorphic Encryption can contribute encrypted data for joint analysis
(HE) can start to address this strategic issue. HE and investigations
allows computations to be performed on encrypted
data, thereby keeping data secure throughout the – Secure search: organizations can send
data lifecycle. While the mathematical theory has encrypted queries to one‑another’s databases
been known for some time, recent advances have without revealing the details of their query
accelerated the potential real‑world applications
and made HE practical for computations on – Privacy‑preserving machine learning: can
data sets, and its ability to perform at scale. encrypt AI models, protecting the model itself
The technology is now rapidly moving to global while preserving accuracy
For some parties who are sharing cyberthreat obfuscation rather than encryption. It is performed
information, a further level of protection may be by altering the statistical properties of data or
required. While the previous approaches protect models to prevent adversaries from reconstructing
organizations’ data through encryption, the results the original data. Classical data techniques for
of encrypted data analytics can, in some cases, obfuscating PII (e.g. redacting data, releasing only
reveal sensitive information. For example, AI and aggregated data) are examples of obfuscation
ML models can leak information about the data techniques with weaker privacy guarantees than
that was used to train them, even if the model was differential privacy.
trained entirely on encrypted data. Fortunately, there
exist techniques for ensuring that the final outputs Differential privacy is an active field of research and
of data analytics pipelines do not leak sensitive several challenges remain regarding its practical
information about the underlying data (e.g. PII). implementation and applicability. Chief among
them is that differentially private models tend to
Differential privacy is one leading such technique, have worse accuracy than non‑differentially private
which is used today by companies like Google ones. In general, the stronger a model’s differential
and Apple to collect data from their users without privacy guarantee, the worse the model’s quality.
compromising the users’ privacy. Roughly, it For enterprises charged with defending their
works by altering learned models to ensure that networks in real time, more work needs to be
no single piece of input data contributes too much done to understand the practical applicability of
to the final model. Differential privacy is part of a such models that balance privacy and sharing
broader class of privacy techniques that rely on actionable insight.
– Technical services that provide the infrastructure The advantage of a privacy preserving analytical
and expertise for attacks, exploitation capability, is that it can enable the distribution
vulnerabilities and gain access to sensitive data of tactical search queries, without disclosing the
and networks to then be monetized search terms to the authorities. This negates the
risks of disclosure and regulatory breach, while
– Cash‑out and laundering services to enable the providing an investigative capability for authorities
successful monetization of stolen data throughout multiple entities.
Within the CDA, a consortium of four global financial activity. Intelligence requirements and data sources
institutions and the UK’s Metropolitan Police used were pre‑agreed by all participants. This allowed the
a PET‑enabled collaborative platform to improve automatic exchange of data across participants’
their ability to identify fraud in data by interrogating systems, saving time resources for investigative teams
each other’s systems for suspicious cybercrime while retaining a higher level of integrity than previously.
Bank A
user
Inquirer
CDA
Bank C Bank B
Bank C Bank B
user user
Source: duality technologies.
The CDA is a pioneering case study for a seen suspicious accounts closed before law
potential future operating model of cybercrime enforcement had been able to continue the
investigations. By coordinating an interoperable investigation with the bank in question.
solution throughout multiple commercial parties
and public authorities sensitive search parameters Timely responses from partner banks enabled more
pertinent to cybercrime investigations, including efficient responses to detect and deter malicious
PII, account numbers, transaction data and activity. For law enforcement this ability meant being
competitive information, remained encrypted able to take proactive, timely action that ensured
during the process so that the subjects of they could stop funds before they were transferred
investigations remained protected at all times. further through the laundering network.
Compliance and preservation of privacy and Improved attribution and case building by
confidentiality: Encryption protects the sensitive banks and law enforcement (as a result of better
query details. No sensitive data was exposed information delivered in a timely manner), reduced
during the process. Confidential querying also criminals’ return on investment and potentially their
prevented insider tip offs, which could have ability to operate.
Until now it’s been like Sophie’s choice — guaranteed privacy of sensitive
data versus supporting the fight against criminality. HE means we keep both
— sharing insights without sharing customer details
Paul Branley, Director of Strategy and Innovation, Lloyds Banking Group
OSINT
Honey Net
IoT sensors
Deep/Dark
web
Anti-DDos AI/ML
ETNO/
eHealth Other pilot Threat intelligence GSMA/
External tip
Finance CIRCL
The Forum would like to thank the following for their Arina Pazushko
contributions. Head of External Affairs, BI.ZONE
Samantha Kight
Security Operations Director, GSMA
Olaf Kruidof
Team Lead of Capability and Innovation, Europol