Five eyes push to declassify security vulnerability data

By on
Five eyes push to declassify security vulnerability data

Security pundits push for Australian and allied agencies to release threat information to industry.

Formal efforts are being made between Australia and its allies to declassify security vulnerability and threat information to assist the private sector.

The initiative between Australia, Canada, New Zealand, Britain and the US -- known as the Five Eyes -- seeks to open up a wealth of security intelligence held by government agencies to help organisations better secure themselves. 

Howard Schmidt
Howard Schmidt

The group wants to convince intelligence agencies to declassify vulnerability and threat data while censoring the sources and methods through which the data is obtained.

Former long-serving White House cyber security advisor to George W Bush and President Barack Obama, Howard Schmidt, had worked on the project with Australian counterparts including national security advisor Dr Margot McCarthy and National Security chief information officer Rachael Noble.

"Governments find this information say through their signals intelligence and they say they have to classify it, and that is not necessarily the case," Schmidt told SC.

"We should turn this whole world of intelligence and law enforcement upside down when it comes to cyber.

"It should be that if you have something that affects critical infrastructure, you have 24 hours to come up with why it should be classified. If not, give it to private industry."

Schmidt flagged the need to declassify data during his years at the White House and said progress had been made prior to his resignation from the job in May last year.

In Australia, concerns have been previously raised over the Federal Government's excessive classification of documents.

For Schmidt, the suppression of information denies organisations the ability to defend themselves from attack, noting that it can take months for information to be declassified.

"[In 2011] we had an intrusion on a major corporation in the finance sector and had meeting after meeting in the White House. From the time the FBI was notified, DHS (Department of Homeland Security) and the Department of Defense all responded [but] it took 102 days from the time it was reported to the time they went out to industry members. It is unconscionable."

If the declassification effort fails -- and it is thought to have stalled amid the recent US Congress reshuffle -- then Schmidt said the private sector should take charge and share vulnerability and threat data.

Cyber-soft state

Governments should maintain a defensive role in cyberspace and steer away from "foolish" ambitions to develop offensive technology like malware, according to Schmidt.

This is because cyber weaponry like Stuxnet will likely -- inevitably, Schmidt said -- be discovered by the infosec research community.

In recent years, security researchers have discovered and extensively detailed malware thought to have been developed by nation-states to launch attacks and conduct espionage against foreign interests.

Stuxnet, designed allegedly by US intelligence agencies, was discovered by Belarus-based anti-virus company VirusBlokAda. The complex Flame or Skywiper trojan was revealed by Iran's computer emergency response team and the Duqu worm was revealed by the Budapest-based CrySyS Lab.

Schmidt said it is also reckless because such attacks can cause collateral damage against critical private infrastructure, and the malware can be reverse-engineered and re-appropriated for further attacks.

To this end, he said "dangerous" cyberwar rhetoric should be avoided.

Darren Pauli travelled to the United States as a guest of Kaspersky.

Copyright © SC Magazine, Australia


Most Read Articles

Log In

|  Forgot your password?